Security Basics mailing list archives

Re: Strange files on C:\

From: H Carvey <keydet89 () yahoo com>
Date: 10 Jun 2004 19:52:44 -0000

In-Reply-To: <AEEJJADGFEGJDBHCPHJPAEPGCDAA.superdif () infinito it>

Hi all,
I hope this is the right list for this kind of problem; in case this
is not, please forgive me and suggest me the right ML. :-)

In the last few days I noticed the following strange files in C:(from the date and time they seem to be created 
regularly, like daily
or more often):
06/09/2004 05:58 PM    0 tas
06/09/2004 05:58 PM    0 tas.1
06/09/2004 07:22 PM    0 tis
06/09/2004 07:22 PM    0 tis.1
06/09/2004 03:03 PM    0 tj8
06/09/2004 03:03 PM    0 tj8.1

I have done some search in Google, but I didn't found anything
relevant.


Searching just on file names doesn't always return usable results.

Do you have any idea from where these files came from? Is there any
other tool/procedure I can try to identify them?


You never identified the specific operating system version, which 
can be very important.  Assuming that you're running Windows 2000 
or above, I'd recommend running pslist.exe, listdlls.exe, handle.exe 
(all from Sysinternals) and tlist.exe (from MS Debugger Tools, *not*
from the RK) to get process information, and use openports.exe (from
DiamondCS.com.au) to get network information ('-netstat' and '-fport').
Look for anomolies in the output, as well as unusual listings.  Also
check the StartUp areas in your Registry and file system. 


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

Current thread:

Strange files on C:\ Di Fresco Marco (Jun 10)
- Re: Strange files on C:\ John Groth (Jun 11)
- Message not available
  - Re: Strange files on C:\ Gautam R. Singh (Jun 11)
- Re: Strange files on C:\ cvaleriy (Jun 11)
- <Possible follow-ups>
- Re: Strange files on C:\ H Carvey (Jun 11)
- RE: Strange files on C:\ Brecrost Jones (Jun 11)