Re: help with forensics on a desktop computer

[Josh Nerius <jnerius () gmail com>]

This could work but in theory, depending on the sophistication of the
attacker, these ports may not respond to such probes.

I believe someone mentioned earlier the idea of connecting this
machine to a hub and then monitoring from a different system running
Ethereal. I second that idea as this is really one of the only ways to
truly see what is passing to/from a system.

Josh Nerius


On Tue, 16 Nov 2004 08:14:07 -0500, Horn Michael
<michael.horn () morganplc com> wrote:
> Couldn't you use nmap to see if any ports are open that shouldn't be?  By
> doing this you should be able to tell what ports are open and if they our
> being used to get into it.
>
>
>
>         -----Original Message-----
>         From:   Anthony J. Cogan [SMTP:anthony.cogan () thinkunix com]
>         Sent:   Friday, November 12, 2004 4:02 PM
>         To:     Undisclosed
>         Cc:     Security Basics[List]
>         Subject:        Re: help with forensics on a desktop computer
>
>         Checkout SpecterCNE at http://www.eblaster.com/CNE.html
>
>         Undisclosed wrote:
>
>         >[reply address not given due to client's instance on
> confidentiality]
>         >
>         >Ok heres the skinny:
>         >an XP box (home edition) the client feels that it has been
> compromised from
>         >remote.
>         >The evidence for this they have gathered from Norton Tools (I am
> unfamilar
>         >with any
>         >logging feature though I do not use Norton Tools). I disabled
> remote desktop
>         >support
>         >in services and they called me and said again there is evidence of
> access
>         >from remote.
>         >Now, the location of the computer in their house is in a small
> secured room
>         >(access
>         >doesnt happen  from anyone except the client from there [that they
> know
>         >of!]. Yes others
>         >live in the house.
>         >
>         >Question is there any effective free or inexpensive (under $100)
> that
>         >monitors access
>         >both local and from remote. Something that can be installed via
>         >administrative account
>         >and not detected by anyone else using the computer? Or tell me if I
> am
>         >dreaming but can be
>         >run from a floppy or a CDROM rather than installed? If I am on the
> right
>         >track maybe
>         >something that puts a log on the A: drive.
>         >
>         >Also, Is there any software which anyone might have put on it to
> compromise
>         >it from remote?
>         >I am aware of PCAnywhere and remote assistance (now disabled).
>         >
>         >Treat me like I'm six years old. All comments and answers
> appreciated.
>         >
>         >
>         >
>         >
>         >---
>         >Outgoing mail is certified Virus Free.
>         >Checked by AVG anti-virus system (http://www.grisoft.com).
>         >Version: 6.0.792 / Virus Database: 536 - Release Date: 11/9/04
>         >
>         >
>
>         
> ______________________________________________________________________
>         This email has been scanned by the MessageLabs Email Security
> System.
>         For more information please visit http://www.messagelabs.com/email
>
> ______________________________________________________________________


-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]