Security Incidents mailing list archives

Re: Unknown Hosts file

From: H C <keydet89 () yahoo com>
Date: Mon, 1 Apr 2002 18:02:45 -0800 (PST)

Dave,

This may actually be nothing more than a practical
joke...after all, it's been listed on such sites as
HappyHacker.org and others for years.

Did you happen to preserve the MAC times and maybe
even the owner of the file?  I'm assuming auditing
wasn't enabled, b/c otherwise you'd be able to
correlate the last write time with a login.

Scanning for viruses is good, but you may want to
check for other stuff, too.  After all, there are nice
little 'gifts' that some A/V tools don't pick up.  I
was at a gov't site, and their A/V product didn't pick
up netcat.

Have you checked open ports?  Use netstat to start,
but if you find anything suspicious, grab a copy of
fport from FoundStone's site.  Also check processes w/
pslist and listdlls from the SysInternals site, and
maybe even grab pulist from the RK.  Check the running
services, as well.

'course, logging is helpful in these incidents, but it
has to be enabled *before* the incident.

HTH

I have a client machine running Windows 2000 
Professional.  All of a sudden, one day, the user
was 
unable to access several of the most popular 
websites (i.e. google, yahoo, cnn, etc.).  I noticed
that 
the machine was attempting to access the wrong IP 
address for all the websites, in fact, it was
attempting 
to access the SAME IP address for every website in 
the group.  After some research, I found there was a

Hosts file with all the domains in question listed,
and 
the erroneous IP address.  Has anyone ever come 
accross an incident where a virus or trojan would 
place a Hosts file onto a system.  I have thoroughly

scanned the machine for viruses, open ports, etc. 
and found nothing.  Is there anything else I should
be 
on the lookout for?

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Unknown Hosts file David Tan (Apr 01)
- Re: Unknown Hosts file Michael ENGEL (Apr 02)
- Re: Unknown Hosts file H C (Apr 02)
- Re: Unknown Hosts file ePAc (Apr 02)
- Re: Unknown Hosts file <-delusion-> (Apr 02)
- <Possible follow-ups>
- RE: Unknown Hosts file BRAD GRIFFIN (Apr 02)
  - RE: Unknown Hosts file Brenna Primrose (Apr 02)