I would suggest this is a custom made trojan that is connecting to an irc server when a RAS connection is detected. Try using MSConfig to see if anything unusual is working, also try installing zone alarm for a check at what is accessing the network from that machine - available from www.zonelabs.com If someone is using a trojan it will be picked up using zone alarm even if it is custome made. Hope my info helps... Peter Francis Owner/Operator -= KoRe WoRkS =- Internet Security http://www.koreworks.com/ Is your box REALLY secure? >From: "Arnold, Jamie" <harnoldat_private> >To: "'incidentsat_private'" <incidentsat_private> >Subject: RE: I think I've been hacked...please help! >Date: Mon, 8 Apr 2002 16:06:34 -0400 >MIME-Version: 1.0 >Received: from [66.38.151.27] by hotmail.com (3.2) with ESMTP id >MHotMailBE7B7DDB007F400437144226971B95AA0; Mon, 08 Apr 2002 17:16:31 -0700 >Received: from lists.securityfocus.com (lists.securityfocus.com >[66.38.151.19])by outgoing.securityfocus.com (Postfix) with QMQPid >0F214A31A4; Mon, 8 Apr 2002 14:12:25 -0600 (MDT) >Received: (qmail 9906 invoked from network); 8 Apr 2002 20:04:21 -0000 >From incidents-return-3136-koremeltdown Mon, 08 Apr 2002 17:17:06 -0700 >Mailing-List: contact incidents-helpat_private; run by ezmlm >Precedence: bulk >List-Id: <incidents.list-id.securityfocus.com> >List-Post: <mailto:incidentsat_private> >List-Help: <mailto:incidents-helpat_private> >List-Unsubscribe: <mailto:incidents-unsubscribeat_private> >List-Subscribe: <mailto:incidents-subscribeat_private> >Delivered-To: mailing list incidentsat_private >Delivered-To: moderator for incidentsat_private >Message-ID: ><4F7418FCE28AD211828A00A0C9D8B8DB08EB0985at_private> >X-Mailer: Internet Mail Service (5.5.2653.19) > >All: > >I have several machines that are using excessive bandwidth. Upon >inspection, I find multiple connections to servers with names like >irc.badguuy.com, etc... On 6667. Incoming connections are random although >1067 seems to be a common one. I have 4 instances of cmd.exe running and 2 >of win.exe While it looks like Egghead, the reg entries aren't there nor >the directories/files. These machines all had an account ID of Microsoft >with admin privs on them. They don't connect to a domain and were setup by >the department "tech" person who left them wide open. What is confusing to >me is that one of them uses our Exchange server which is protected by >Antigen (and I pull nearly every extension known to man) and McAffee on the >desktop. I can't find anything that matches this. Anyone have any insight? > >Thanks > >J > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:43:58 PDT