Security Incidents: Re: maybe a simple problem

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: maybe a simple problem

From: "Michael Anuzis" <michael_anuzis () hotmail com>
Date: Thu, 03 Oct 2002 06:44:58 -0400

Another thing you might try, since it's a win98 machine that was hacked and*all* the developed trojans I've heard of that would work on win98 eitheruse TCP or UDP, would be a simple port scan. Port scan TCP, port scan UDP,make sure *every single port* is checked. When a high port shows up that issuspicious you may have nailed your problem right there. You may even getlucky if the offenders haven't changed the default port and your portscanner (like nmap) would be able to tell you which trojan it is rightthen/there.

From my experience, the 3 most common you may want to have him look for

would be:
*1.  SubSeven
2. Back Orifice
3. Master's Paradise

Keep in mind though, if you find one there's a very good chance there isanother that was installed as a backup, almost anticipating that one bediscovered.


Good luck --Michael

From: "Igor D. Spivak" <urbanachiever () attbi com>
To: "Andrew Fison" <afison () brit-tex net>,<incidents () securityfocus com>
Subject: Re: maybe a simple problem
Date: Wed, 2 Oct 2002 12:49:32 -0700

the way to track that is not trough netstat (is too dependent on chance),

but rather through a process/loaded dll list from an infected machine,being

compared to a similar list on a known good machine and all non-matching
entries researched.

now then http://www.sysinternals.com/win9x/98utilities.shtml this should
help you.
also, what does the telescope look like (just curious).


regards,


IDS


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com





Michael Anuzis, CCNA
Network Security Consultant
http://www.anuzisnetworking.com
http://www.lucidic.net - The Distributed Honeypot Project


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
  - RE: maybe a simple problem Clayton Hoskinson (Oct 05)