Jamie > Netstat reveals anywhere from 5 to 15 hosts > connecting within seconds of boot. Can you pipe the output to a file and post it? Your above statement is very indefinite...for example, what domains/countries are these hosts from? What port are they connecting to on the "victim" system, or is the "victim" system connecting to them? > When I scan the machine using something like Retina, > I get nothing > unusual...139 (bad, I know) 1025, etc. No high > ports. First off, port scanning the machine from the outside does no good whatsoever. I've been saying that in posts on this list, as well as Security-Basics, for quite a while. > I did install ZA and found win.exe doing most of the > damage so I "adjusted" > ZA to reduce the number of connections. > I'm going back today to run Fport and others to try > to determine more > info....I now believe that this is something new or > a significant variation of several older exploits. Okay, this is where I tend to get a little concerned. I say that b/c as of yet, you really haven't done a detailed investigation, but you seem to have formed an opinion of what the issue is. This will tend to skew your investigation...since you don't seem to have much experience performing incident response activities, it's likely that anything you do will generally be guided toward proving that hypothesis, rather than attempting to determine what happened. > Put a sniffer in place last night....going to > retrieve info today. What sniffer are you using? Is it a hardware or software sniffer? If it's software (ie, tcpdump, snort, etc), which system is it running on? > These are all Win2K Pro, looks like they have not > been patched.....yet....no IIS services. How have you confirmed this? I know your first reaction will be to say, "by looking at the box", but with regards to an incident response methodology, I would have to ask "how" you looked at the box? Did you check the running services? > Called some friends at SANS and McAffee....they are > scratching their heads also. This is weird. Probably b/c you haven't pulled together an adequate amount of info in one place yet. I'll give you an example. In the Incident Response course I teach, one of the lab exercises we run is to install netcat (nc.exe) on a system, but put it in c:\winnt\system32 and call it "inetinfo.exe". The 'trojan' is then launched to listen on port 80. Most admins only check the Task Manager and will see inetinfo.exe running...something they are used to seeing on systems running IIS. Every now and then, one will run netstat and see something listening on port 80. The point is that any file on a system can be called anything. An executable file can be given any name and executed. Most trojans/backdoors are configurable to allow them to listen on any arbitrary port. Therefore, relying solely on the name of a file, or the output of netstat or a port scan, can really be inconclusive. > More to follow. Hopefully, command output captures and maybe even packet captures. For commands, I would recommend the following: netstat -an (NOTE: add '-o' is using XP) nbtstat -c pslist pulist listdlls/handle fport **If you're really interested in some detailed process information, go to NTSecurity.nu and get pmdump.exe...it will dump the process memory for a designated PID psservice drivers.exe (RK) psuptime autoruns (from SysInternals...shows the contents of locations in the file system and Registry that start programs on system start) lads (from Heysoft.de...check for alternate data streams) DumpSec (you want to get users, user rights, etc) dir /s /od /ta c:\* auditpol (From the RK) DumpEvt or dumpevt.pl (http://patriot.net/~carvdawg/perl.html) This is a good place to start. Since you think you've already identified the incriminating file (win.exe), maybe you could make a copy of it (*after* capturing the MAC times, file owner, permissions, full path, as well as any reference to the file in the Registry or any other file on the system) and run it through strings.exe, depends.exe, and VFI.exe (visual file information...gets things like version and manufacturer strings, if available). Whatever you do end up deciding to do, I'd like to just ask that you fully document what you do, particularly if you're looking for help or assistance. "I looked at the box" doesn't say anything...different tools and utilities have different effects on the system. For example, it's better to use tools that are known to *not* alter MAC times when examining the file system. If you have any specific questions, please feel free to drop me a line. __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 08:50:13 PDT