Re: maybe a simple problem

From: Michael Anuzis (michael_anuzisat_private)
Date: Thu Oct 03 2002 - 03:44:58 PDT

Next message: fingers: "question about slapper"

Previous message: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Maybe in reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Robinson, Sonja: "RE: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Another thing you might try, since it's a win98 machine that was hacked and 
*all* the developed trojans I've heard of that would work on win98 either 
use TCP or UDP, would be a simple port scan. Port scan TCP, port scan UDP, 
make sure *every single port* is checked. When a high port shows up that is 
suspicious you may have nailed your problem right there. You may even get 
lucky if the offenders haven't changed the default port and your port 
scanner (like nmap) would be able to tell you which trojan it is right 
then/there.

From my experience, the 3 most common you may want to have him look for 
would be:
*1.  SubSeven
2. Back Orifice
3. Master's Paradise

Keep in mind though, if you find one there's a very good chance there is 
another that was installed as a backup, almost anticipating that one be 
discovered.

Good luck --Michael

>From: "Igor D. Spivak" <urbanachieverat_private>
>To: "Andrew Fison" <afison@brit-tex.net>,<incidentsat_private>
>Subject: Re: maybe a simple problem
>Date: Wed, 2 Oct 2002 12:49:32 -0700
>
>the way to track that is not trough netstat (is too dependent on chance),
>but rather through a process/loaded dll list from an infected machine, 
>being
>compared to a similar list on a known good machine and all non-matching
>entries researched.
>
>now then http://www.sysinternals.com/win9x/98utilities.shtml this should
>help you.
>also, what does the telescope look like (just curious).
>
>
>regards,
>
>
>IDS
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com




Michael Anuzis, CCNA
Network Security Consultant
http://www.anuzisnetworking.com
http://www.lucidic.net - The Distributed Honeypot Project


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: fingers: "question about slapper"
Previous message: Burak DAYIOGLU: "Re: slapper changed to udp 1812?"
Maybe in reply to: Andrew Fison: "maybe a simple problem"
Next in thread: Robinson, Sonja: "RE: maybe a simple problem"
Next in thread: Maxime Ducharme: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Oct 03 2002 - 14:07:22 PDT