Re: Unknown Hosts file

From: H C (keydet89at_private)
Date: Mon Apr 01 2002 - 18:02:45 PST

Next message: BRAD GRIFFIN: "RE: Unknown Hosts file"

Previous message: Michael ENGEL: "Re: Unknown Hosts file"
In reply to: David Tan: "Unknown Hosts file"
Next in thread: BRAD GRIFFIN: "RE: Unknown Hosts file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dave,

This may actually be nothing more than a practical
joke...after all, it's been listed on such sites as
HappyHacker.org and others for years.

Did you happen to preserve the MAC times and maybe
even the owner of the file?  I'm assuming auditing
wasn't enabled, b/c otherwise you'd be able to
correlate the last write time with a login.

Scanning for viruses is good, but you may want to
check for other stuff, too.  After all, there are nice
little 'gifts' that some A/V tools don't pick up.  I
was at a gov't site, and their A/V product didn't pick
up netcat.

Have you checked open ports?  Use netstat to start,
but if you find anything suspicious, grab a copy of
fport from FoundStone's site.  Also check processes w/
pslist and listdlls from the SysInternals site, and
maybe even grab pulist from the RK.  Check the running
services, as well.

'course, logging is helpful in these incidents, but it
has to be enabled *before* the incident.

HTH

> I have a client machine running Windows 2000 
> Professional.  All of a sudden, one day, the user
> was 
> unable to access several of the most popular 
> websites (i.e. google, yahoo, cnn, etc.).  I noticed
> that 
> the machine was attempting to access the wrong IP 
> address for all the websites, in fact, it was
> attempting 
> to access the SAME IP address for every website in 
> the group.  After some research, I found there was a
> 
> Hosts file with all the domains in question listed,
> and 
> the erroneous IP address.  Has anyone ever come 
> accross an incident where a virus or trojan would 
> place a Hosts file onto a system.  I have thoroughly
> 
> scanned the machine for viruses, open ports, etc. 
> and found nothing.  Is there anything else I should
> be 
> on the lookout for?
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 


__________________________________________________
Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax
http://http://taxes.yahoo.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: BRAD GRIFFIN: "RE: Unknown Hosts file"
Previous message: Michael ENGEL: "Re: Unknown Hosts file"
In reply to: David Tan: "Unknown Hosts file"
Next in thread: BRAD GRIFFIN: "RE: Unknown Hosts file"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 02 2002 - 09:49:47 PST