> I would suggest this is a custom made trojan that is > connecting to an irc > server when a RAS connection is detected. What are you basing this on? The information provided so far by the OP has been vague and sketchy at best...hardly what one would call even moderately effective incident response. > Try using MSConfig to see if anything unusual is > working, also try > installing zone alarm for a check at what is > accessing the network from that > machine - available from www.zonelabs.com > If someone is using a trojan it will be picked up > using zone alarm even if > it is custome made. > Hope my info helps... There are other, perhaps even more effective methods for gathering the same information. For example, running fport (and piping the output through netcat) doesn't require a full software installation (ZoneAlarm does)...which will contaminate any potential evidence. There are other tools...which I've listed and sent to the OP...that can be run similarly. BTW, I checked out your site...cool graphics. Aside from rampant misspellings, it's not half bad. __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Apr 09 2002 - 12:02:54 PDT