Security Incidents mailing list archives

Re: maybe a simple problem

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Wed, 2 Oct 2002 14:16:54 -0600

On Wed, Oct 02, 2002 at 04:37:18AM -0500, Andrew Fison wrote:

I have a client who believes that thier win98 pc has been hacked with some
remote control software. They are pretty vague and not close buy so i cannot
look at the machine all the time. I asked them to do netstat when they think
they are being spied on but as yet they have not given me anything useful.

I think there is reason to believe them as the owner is involed in a hostile
boardroom take over of his company by some other entities, whilst this is
legal, they have used other underhand methods against my customer before and
they are trying to force him to sign over the business to them a little too
swiftly.

this all started when his wife was suing the pc, and a telescop came on the
screen and then disapeared, since then the machine crashes, documents
pertaing to the business have  gone missing etc, any clues to what this
telescope could be?


I'd say "Think horses, not zebras".  Feels like a virus to me.  Spy
programs rarely advertise themselves.  If you are fairly certain
something fishy is going on, but don't know what, the simple solution
is a backup of data you care about, and reinstall.

Ensure that your virus scanner and software patches are the latest and
greatest on the new install, and you will likely be fine.

If you can, drop a machine off with the needed software and data, grab
the suspect machine and take your time staring at suspect machine.
This way you are not rushed, and your clients can keep computing
happily.

If your clients need better protection from data loss, and viruses;
Windows NT/2000/XP (so long as Admimistartor is not the regular user
privledge) and regular backups might be worth pitching.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Unusual volume: UDP:137 probes, (continued)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
  - RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
    - Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
    - Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
  - Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
    - maybe a simple problem Andrew Fison (Oct 02)
    - Re: maybe a simple problem Igor D. Spivak (Oct 02)
    - RE: maybe a simple problem Greg Reber (Oct 03)
    - Re: maybe a simple problem Brad Arlt (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
  - Re: Unusual volume: UDP:137 probes John Sage (Oct 01)
- Re: Unusual volume: UDP:137 probes Maxime Ducharme (Oct 01)
- RE: Unusual volume: UDP:137 probes Jeremy Junginger (Oct 02)
- RE: Unusual volume: UDP:137 probes Sam Campbell (Oct 08)