Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: Compromised Win2000 machine.
From: Daniel Hay <dhay () drexel edu>
Date: Wed, 29 May 2002 14:05:55 -0400




Danny took the typical action seen of most
admins...port scanning the system from the outside,
and comparing the open ports to lists of known trojans
and services.  This is inconclusive at best, and leads
to a lot of speculation and time-wasting.  Better to
run fport on the system (if NT/2K...if the system is
XP, run netstat w/ the '-o' switch) instead, to see
the process to port mapping.
I took the only action i could given i don't have physical access to the machine and still have not been able to contact the owner, we are currently just watching traffic to and from the box to see if we can see anything that may constitute a patter that could be used to find other hosts on campus that have already or may be in the future owned 
by similar tools

Danny




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]