RE: maybe a simple problem

From: Greg Reber (greg.reberat_private)
Date: Wed Oct 02 2002 - 18:16:17 PDT

Next message: Alexandru Frangeti: "Re: Possible remote vulnerability in SSH-1.2.27"

Previous message: Brooke, O'neil (EXP): "RE: maybe a simple problem"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Brad Arlt: "Re: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew - if there is a suspicion that the client's machine has been
compromised, they should stop using it and have you do some quick forensics.
Back up files that they need, but not the whole HD.
http://biatchux.dmzs.com/ is a great site for free forensics tools.

-greg

The information in this email is likely confidential and may be legally
privileged. It is intended solely for the addressee. Access to this email by
anyone else is unauthorized. If you are not the intended recipient,  any
disclosure, copying, distribution or any action taken or omitted to be taken
in reliance on it, is prohibited and may be unlawful.

-----Original Message-----
From: Andrew Fison [mailto:afison@brit-tex.net]
Sent: Wednesday, October 02, 2002 2:37 AM
To: incidentsat_private
Subject: maybe a simple problem

I have a client who believes that thier win98 pc has been hacked with some
remote control software. They are pretty vague and not close buy so i cannot
look at the machine all the time. I asked them to do netstat when they think
they are being spied on but as yet they have not given me anything useful.

I think there is reason to believe them as the owner is involed in a hostile
boardroom take over of his company by some other entities, whilst this is
legal, they have used other underhand methods against my customer before and
they are trying to force him to sign over the business to them a little too
swiftly.

this all started when his wife was suing the pc, and a telescop came on the
screen and then disapeared, since then the machine crashes, documents
pertaing to the business have  gone missing etc, any clues to what this
telescope could be?

yours

andrew



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Alexandru Frangeti: "Re: Possible remote vulnerability in SSH-1.2.27"
Previous message: Brooke, O'neil (EXP): "RE: maybe a simple problem"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Brad Arlt: "Re: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 09:59:16 PDT