RE: I think I've been hacked...please help!

From: H C (keydet89at_private)
Date: Tue Apr 09 2002 - 03:44:30 PDT

  • Next message: Arnold, Jamie: "RE: I think I've been hacked...please help!"

    Jaime,
    
    1.  Have you gathered detailed process information,
    such as using pslist.exe and listdlls.exe (from
    SysInternals), and pulist.exe (from the RK)?
    
    2.  Have you run netstat?  Since you didn't specify
    which operating systems are running, I'll point out
    that only XP has the '-o' switch in netstat.
    
    3.  Have you run fport.exe from Foundstone, mapping
    the processes to open ports in netstat?
    
    4.  Have you collected any file info...last access
    times, etc?  Something like the following command is a
    quick and dirty way of doing it:
    
    c:\>dir /s /ta /od c:\*
    
    5.  Have you collected or reviewed EventLogs (assuming
    we're talking about NT/2K here)?
    
    6.  Have you done any network-based packet captures?
    
    It seems to me that you might have a pretty
    significant incident on your hands...but you really
    haven't given us a whole lot of information to work
    with.  For example, are these machines using publicly
    routable addresses?  What's the patch level?  What
    operating system is being used?  What major apps are
    running (IIS, FTP, etc)?
    
    Of course, this may just be some "goodies" this other
    admin friend of yours (the "techie") left behind.
    
    I teach a course that walks admins such as yourself
    through how to deal with/handle situations like this. 
    To be honest, if you have the time, I think these
    machines would be very interesting to work
    with...observe the activity on the systems, as well as
    the network, and see what these "bad guys" are up to.
    
    --- "Arnold, Jamie" <harnoldat_private> wrote:
    > All:
    > 
    > I have several machines that are using excessive
    > bandwidth.  Upon
    > inspection, I find multiple connections to servers
    > with names like
    > irc.badguuy.com, etc... On 6667.  Incoming
    > connections are random although
    > 1067 seems to be a common one.  I have 4 instances
    > of cmd.exe running and 2
    > of win.exe  While it looks like Egghead, the reg
    > entries aren't there nor
    > the directories/files.  These machines all had an
    > account ID of Microsoft
    > with admin privs on them.  They don't connect to a
    > domain and were setup by
    > the department "tech" person who left them wide
    > open.  What is confusing to
    > me is that one of them uses our Exchange server
    > which is protected by
    > Antigen (and I pull nearly every extension known to
    > man) and McAffee on the
    > desktop.  I can't find anything that matches this.
    > Anyone have any insight?
    > 
    > Thanks
    > 
    > J
    > 
    >
    ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS
    > analyzer service.
    > For more information on this free incident handling,
    > management 
    > and tracking system please see:
    > http://aris.securityfocus.com
    > 
    
    
    __________________________________________________
    Do You Yahoo!?
    Yahoo! Tax Center - online filing with TurboTax
    http://taxes.yahoo.com/
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 09:07:06 PDT