|
Security Incidents
mailing list archives
Re: Possible System Compromise
From: H C <keydet89 () yahoo com>
Date: Tue, 9 Jul 2002 16:27:26 -0700 (PDT)
David,
A couple of questions:
1. How does this information that you've provided
below relate to the title of "possible system
compromise"?
2. Have you retrieved any process information from
the system? Using pslist/handle/listdlls from
SysInternals, and "netstat -ano" on the XP box, will
provide detailed process information.
3. Have the contents of any of these files been
examined? Have the MAC times of the files been
recorded, and any of them opened in a hex editor, or
even Notepad?
4. Has any information been collected from the
system, such as open/running services, processes, etc?
Has _any_ incident response been done at all? Was
auditing enabled on the XP system, such that Process
Tracking might provide some information?
--- David Baker <bakerd () mitre org> wrote:
All,
I have a person that contacted me after some
strange files appeared in the
root directory of his Windows XP box. This person
is remote from me, and I
don't have a lot to go on right now, but there are
about 30 files that appeared
in the root directory:
S3no 23KB
S3no.1 7KB
S3no.2 4KB
S3no.3 23KB
S3no.4 472KB
S3no.5 23KB
S3no.6 7KB
S3no.7 4KB
S3no.8 23KB
S3no.9 472KB
S3no.a 23KB
S3no.b 7KB
S3no.c 4KB
S3no.d 23KB
S3no.e 472KB
S3no.f 23KB
S3no.g 7KB
S3no.h 4KB
S3no.i 23KB
S3no.j 472KB
S3no.k 23KB
S3no.l 7KB
S3no.m 4KB
S3no.n 23KB
S3no.o 472KB
S3no.p 23KB
S3no.q 7KB
S3no.r 4KB
S3no.s 23KB
S3no.t 472KB
This sounds familiar to me, but I cannot seem to
find anything in my archives
about this one. I also couldn't find anything
relevant with a couple of
searches. Does anyone have a cluebat they can smack
me with? The pattern of
file sizes is constant. All the files have the same
date/time
6/16/2002 at 6:42pm
Thanks in advance.
Dave B.
--
------------------------------------------------------------
David W. Baker
bakerd () mitre org
Lead INFOSEC Engineer
G023 - Secure Information Technology (703)
883-3658
The MITRE Corporation (703)
883-4589 (F)
Mailstop W435
7515 Colshire Drive McLean,
VA, 22102
------------------------------------------------------------
"Cyberspace. A consensual hallucination experienced
daily by
billions of legitimate operators, in every nation,
by
children being taught mathematical concepts... A
graphic
representation of data abstracted from the banks of
every
computer in the human system. Unthinkable
complexity. Lines
of light ranged in the nonspace of the mind,
clusters and
constellations of data. Like city lights,
receding..."
- William Gibson, "Neuromancer"
"640K ought to be enough for anybody." - Bill
Gates, 1981
-------------------------------------------------------------
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com
__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
| 
Intro
