Thanks for all on/off-line replies - I was a bit hasty in my previous post, and missed a few important technical details: see below. > 1. Did you perform a packet capture on the network? Not yet - but we're in the process of doing this, post mortem, so to say. > 2. Did you dump the process list from the machine > during this activity? No. We had to unplug the machine from the network, and it was inadvertently powered down. > 3. What is the os of the target system (this would > help myself and others recommend tools)? I forgot to mention that the client is a Win2k SP2. The two targets are seemingly 'Microsoft-IIS/5.0' and 'Apache/1.3.11 Ben-SSL/1.38 (Unix) PHP/3.0.15'. > 4. Did you check the contents of the Run, > RunServices, RunOnce Registry keys (if the target > system is a MS platform)? No - but I'd like a tool that can decipher the 'ntuser.dat' file, so we don't have to log on as the specific user that caused the problems. Does anyone known of a way of 'reading'/enumerating a users own registryfile (HKCU)? There is supposedly a driver for Linux, to mount the registryfile - and browse everything like a directory. But that seems to be like crossing the river for water... > How about startup > directories for the currently logged on user? Checked - nothing found. > http://www.securityfocus.com/focus/microsoft/2k/forensictools.html I'll check these tomorrow. When daylight hits again... > > An interesting thing is that the source port in each > > request, would > > start at 1025, increase by one to 5000, and then > > start over with source > > port 1025. > > That should be fairly normal activity, actually. I'm > not sure about rolling over specifically at 5000, but > starting at a high port (ie, above 1024) is normal. When investigating further, it turns out that all the customers Microsoft client machines (NT4 & Win2k) rollover at 5000, and start at 1025 again. Is this normal behaviour? And out of curiosity - if so, why? What about the other 60000 ports? > > The client machine does have an irc client > > installed, and this is somewhat alarming. > > How so? It might have served as the infection vector, > but I don't necessarily see how the presence of just > an irc client is "alarming". Alarming due to company policy for this client machine, and alarming due to the fact that IRC is a method of spreading 'evil'. Rgds, ~Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 12:51:10 PDT