Re: maybe a simple problem

From: Brad Arlt (arltat_private)
Date: Wed Oct 02 2002 - 13:16:54 PDT

Next message: Andrei Muresan: "Re: Possible remote vulnerability in SSH-1.2.27"

Previous message: zeno: "Re: Interesting new DDoS method?"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Michael Anuzis: "Re: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Oct 02, 2002 at 04:37:18AM -0500, Andrew Fison wrote:
> I have a client who believes that thier win98 pc has been hacked with some
> remote control software. They are pretty vague and not close buy so i cannot
> look at the machine all the time. I asked them to do netstat when they think
> they are being spied on but as yet they have not given me anything useful.
> 
> I think there is reason to believe them as the owner is involed in a hostile
> boardroom take over of his company by some other entities, whilst this is
> legal, they have used other underhand methods against my customer before and
> they are trying to force him to sign over the business to them a little too
> swiftly.
> 
> this all started when his wife was suing the pc, and a telescop came on the
> screen and then disapeared, since then the machine crashes, documents
> pertaing to the business have  gone missing etc, any clues to what this
> telescope could be?

I'd say "Think horses, not zebras".  Feels like a virus to me.  Spy
programs rarely advertise themselves.  If you are fairly certain
something fishy is going on, but don't know what, the simple solution
is a backup of data you care about, and reinstall.

Ensure that your virus scanner and software patches are the latest and
greatest on the new install, and you will likely be fine.

If you can, drop a machine off with the needed software and data, grab
the suspect machine and take your time staring at suspect machine.
This way you are not rushed, and your clients can keep computing
happily.

If your clients need better protection from data loss, and viruses;
Windows NT/2000/XP (so long as Admimistartor is not the regular user
privledge) and regular backups might be worth pitching.
-----------------------------------------------------------------------
   __o		Bradley Arlt			Security Team Lead
 _ \<_		arltat_private		University Of Calgary
(_)/(_) 	I should be biking right now.	Computer Science


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Andrei Muresan: "Re: Possible remote vulnerability in SSH-1.2.27"
Previous message: zeno: "Re: Interesting new DDoS method?"
In reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Michael Anuzis: "Re: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 10:14:11 PDT