RE: I think I've been hacked...please help!

From: Arnold, Jamie (harnoldat_private)
Date: Mon Apr 08 2002 - 13:06:34 PDT

  • Next message: Pepijn Vissers: "RE: I think I've been hacked...please help!"

    All:
    
    I have several machines that are using excessive bandwidth.  Upon
    inspection, I find multiple connections to servers with names like
    irc.badguuy.com, etc... On 6667.  Incoming connections are random although
    1067 seems to be a common one.  I have 4 instances of cmd.exe running and 2
    of win.exe  While it looks like Egghead, the reg entries aren't there nor
    the directories/files.  These machines all had an account ID of Microsoft
    with admin privs on them.  They don't connect to a domain and were setup by
    the department "tech" person who left them wide open.  What is confusing to
    me is that one of them uses our Exchange server which is protected by
    Antigen (and I pull nearly every extension known to man) and McAffee on the
    desktop.  I can't find anything that matches this. Anyone have any insight?
    
    Thanks
    
    J
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Apr 08 2002 - 14:47:53 PDT