Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Unknown Hosts file

Re: Unknown Hosts file

From: H C <keydet89_at_yahoo.com>
Date: Mon, 1 Apr 2002 18:02:45 -0800 (PST)

Dave,

This may actually be nothing more than a practical
joke...after all, it's been listed on such sites as
HappyHacker.org and others for years.

Did you happen to preserve the MAC times and maybe
even the owner of the file? I'm assuming auditing
wasn't enabled, b/c otherwise you'd be able to
correlate the last write time with a login.

Scanning for viruses is good, but you may want to
check for other stuff, too. After all, there are nice
little 'gifts' that some A/V tools don't pick up. I
was at a gov't site, and their A/V product didn't pick
up netcat.

Have you checked open ports? Use netstat to start,
but if you find anything suspicious, grab a copy of
fport from FoundStone's site. Also check processes w/
pslist and listdlls from the SysInternals site, and
maybe even grab pulist from the RK. Check the running
services, as well.

'course, logging is helpful in these incidents, but it
has to be enabled *before* the incident.

HTH

> I have a client machine running Windows 2000
> Professional. All of a sudden, one day, the user
> was
> unable to access several of the most popular
> websites (i.e. google, yahoo, cnn, etc.). I noticed
> that
> the machine was attempting to access the wrong IP
> address for all the websites, in fact, it was
> attempting
> to access the SAME IP address for every website in
> the group. After some research, I found there was a
>
> Hosts file with all the domains in question listed,
> and
> the erroneous IP address. Has anyone ever come
> accross an incident where a virus or trojan would
> place a Hosts file onto a system. I have thoroughly
>
> scanned the machine for viruses, open ports, etc.
> and found nothing. Is there anything else I should
> be
> on the lookout for?
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>

__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 02 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos