David, A couple of questions: 1. How does this information that you've provided below relate to the title of "possible system compromise"? 2. Have you retrieved any process information from the system? Using pslist/handle/listdlls from SysInternals, and "netstat -ano" on the XP box, will provide detailed process information. 3. Have the contents of any of these files been examined? Have the MAC times of the files been recorded, and any of them opened in a hex editor, or even Notepad? 4. Has any information been collected from the system, such as open/running services, processes, etc? Has _any_ incident response been done at all? Was auditing enabled on the XP system, such that Process Tracking might provide some information? --- David Baker <bakerdat_private> wrote: > All, > I have a person that contacted me after some > strange files appeared in the > root directory of his Windows XP box. This person > is remote from me, and I > don't have a lot to go on right now, but there are > about 30 files that appeared > in the root directory: > S3no 23KB > S3no.1 7KB > S3no.2 4KB > S3no.3 23KB > S3no.4 472KB > S3no.5 23KB > S3no.6 7KB > S3no.7 4KB > S3no.8 23KB > S3no.9 472KB > S3no.a 23KB > S3no.b 7KB > S3no.c 4KB > S3no.d 23KB > S3no.e 472KB > S3no.f 23KB > S3no.g 7KB > S3no.h 4KB > S3no.i 23KB > S3no.j 472KB > S3no.k 23KB > S3no.l 7KB > S3no.m 4KB > S3no.n 23KB > S3no.o 472KB > S3no.p 23KB > S3no.q 7KB > S3no.r 4KB > S3no.s 23KB > S3no.t 472KB > > This sounds familiar to me, but I cannot seem to > find anything in my archives > about this one. I also couldn't find anything > relevant with a couple of > searches. Does anyone have a cluebat they can smack > me with? The pattern of > file sizes is constant. All the files have the same > date/time > 6/16/2002 at 6:42pm > Thanks in advance. > Dave B. > > -- > > ------------------------------------------------------------ > David W. Baker > bakerdat_private > Lead INFOSEC Engineer > G023 - Secure Information Technology (703) > 883-3658 > The MITRE Corporation (703) > 883-4589 (F) > Mailstop W435 > 7515 Colshire Drive McLean, > VA, 22102 > > ------------------------------------------------------------ > "Cyberspace. A consensual hallucination experienced > daily by > billions of legitimate operators, in every nation, > by > children being taught mathematical concepts... A > graphic > representation of data abstracted from the banks of > every > computer in the human system. Unthinkable > complexity. Lines > of light ranged in the nonspace of the mind, > clusters and > constellations of data. Like city lights, > receding..." > - William Gibson, "Neuromancer" > > "640K ought to be enough for anybody." - Bill > Gates, 1981 > > ------------------------------------------------------------- > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS > analyzer service. > For more information on this free incident handling, > management > and tracking system please see: > http://aris.securityfocus.com > __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 09 2002 - 18:23:02 PDT