Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: I think I've been hacked...please help!

RE: I think I've been hacked...please help!

From: KoRe MeLtDoWn <koremeltdown_at_hotmail.com>
Date: Tue, 09 Apr 2002 02:01:12 +0000

I would suggest this is a custom made trojan that is connecting to an irc
server when a RAS connection is detected.
Try using MSConfig to see if anything unusual is working, also try
installing zone alarm for a check at what is accessing the network from that
machine - available from www.zonelabs.com
If someone is using a trojan it will be picked up using zone alarm even if
it is custome made.
Hope my info helps...

Peter Francis

Owner/Operator
-= KoRe WoRkS =- Internet Security
http://www.koreworks.com/

Is your box REALLY secure?

>From: "Arnold, Jamie" <harnold_at_binghamton.edu>
>To: "'incidents_at_securityfocus.com'" <incidents_at_securityfocus.com>
>Subject: RE: I think I've been hacked...please help!
>Date: Mon, 8 Apr 2002 16:06:34 -0400
>MIME-Version: 1.0
>Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id
>MHotMailBE7B7DDB007F400437144226971B95AA0; Mon, 08 Apr 2002 17:16:31 -0700
>Received: from lists.securityfocus.com (lists.securityfocus.com
>[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid
>0F214A31A4; Mon, 8 Apr 2002 14:12:25 -0600 (MDT)
>Received: (qmail 9906 invoked from network); 8 Apr 2002 20:04:21 -0000
>From incidents-return-3136-koremeltdown Mon, 08 Apr 2002 17:17:06 -0700
>Mailing-List: contact incidents-help_at_securityfocus.com; run by ezmlm
>Precedence: bulk
>List-Id: <incidents.list-id.securityfocus.com>
>List-Post: <mailto:incidents_at_securityfocus.com>
>List-Help: <mailto:incidents-help_at_securityfocus.com>
>List-Unsubscribe: <mailto:incidents-unsubscribe_at_securityfocus.com>
>List-Subscribe: <mailto:incidents-subscribe_at_securityfocus.com>
>Delivered-To: mailing list incidents_at_securityfocus.com
>Delivered-To: moderator for incidents_at_securityfocus.com
>Message-ID:
><4F7418FCE28AD211828A00A0C9D8B8DB08EB0985_at_buexchange.cc.binghamton.edu>
>X-Mailer: Internet Mail Service (5.5.2653.19)
>
>All:
>
>I have several machines that are using excessive bandwidth. Upon
>inspection, I find multiple connections to servers with names like
>irc.badguuy.com, etc... On 6667. Incoming connections are random although
>1067 seems to be a common one. I have 4 instances of cmd.exe running and 2
>of win.exe While it looks like Egghead, the reg entries aren't there nor
>the directories/files. These machines all had an account ID of Microsoft
>with admin privs on them. They don't connect to a domain and were setup by
>the department "tech" person who left them wide open. What is confusing to
>me is that one of them uses our Exchange server which is protected by
>Antigen (and I pull nearly every extension known to man) and McAffee on the
>desktop. I can't find anything that matches this. Anyone have any insight?
>
>Thanks
>
>J
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
>

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Apr 09 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos