RE: They got me!!!

["Terry Vernon" <tvernon24 () comcast net>]

I see something along these lines every day. What has most likely happened
is they clicked on something or fell for a trick they shouldn't have. The
Trojan was probably the first thing in instead of as you assume after the
fact. I would begin by interrogating the kids, lol. What I would do is
recover all files deleted in the timeframe you were gone with something like
Active UnDelete or whatever your favorite is. Usually a Trojan deletes the
installation file so that might give you more insight where it was
downloaded.

I'd say what probably happened is they were at a site they thought was OK
and clicked "Yes" to a fake prompt you see on some of these shady sites and
followed instructions hoping to play a game or something. I'd go as far to
say it didn't even matter that your other systems were offline because a
Trojan kiddie usually doesn't even think about the existence of a LAN. The
biggest headache is going to be recovering any lost accounts due to password
theft. All the other stuff can be fixed as easy as a reinstall of Winblows
XP.

-----Original Message-----
From: pentesticle () yahoo com [mailto:pentesticle () yahoo com] 
Sent: Wednesday, April 05, 2006 11:24 AM
To: incidents () securityfocus com
Subject: They got me!!!

Hey list!!!

My kids left their puter on while I was away on vacation and some 
loverly person managed to gain access to the puter. Unfortunately I was on 
vacation so had all of my systems off except the one the kids turned 
back on, so my sniffer was off as well.

I don't know much from the forensics side of the house as I mainly 
perform audits and such, so was hoping I could get some insight as where to 
start and tools to use to find everything that was done to the 
computer.

My AV software picked up a trojan, but figure it was after the fact and 
is still resident on the system. It almost appears that they accessed 
hotmail and picked up files from a mailbox. (sure wish my sniffer would 
have been on :( )The local Symantec firewall is being bypassed and most 
of the services won't start. Term Svcs among others has been set to 
manual but starts up automatically with Windows (I had it disabled before) 
and will not allow me to stop the service. I keep the system up to date 
with patches and AV signatures and use 25 char passwords with 
fingerprint scanners for the kids to use, so am not certain what they used
to 
exploit, but given time anything can be broken. My fingerprint scanner 
doesn;t show any failed logon attempts while we were gone but the 
security logs show numerous failed attempts by all of the accounts so
assuming 
they are trying to remotely access the PC. I'm thinking they gained 
access to the account that was currently logged in as it shows th
 at particular account's priviledges were escalated in the log files 
several times then shortly after it shows the system account making 
changes to the system.

Anyway, if somone could recommend where to start and what tools I 
should use, I guess this will begin my forensics career and OJT...

Much appreciated :)