A good plan of action to detect if the person is being hacked might be this: 1. Insert a simple hub, (not a switch), between his pc and the usual network connection. 2. Attach another PC to this hub, and collect packets using Ethereal. (http://www.ethereal.com/). The hub will allow the sniffer to inspect all packets to and from his machine. 3. Run a capture at all times that his machine is running. 4. Run a capture for an extended period of time when he is _away_ from his machine, but when it is turned on. Sudden bursts of activity during this time would be of great interest. 5. Get a severe coffee buzz, and analyze the captures for suspicious activity. If he is being hacked, you will probably notice some kind of pattern, such as a 3rd IP address suddenly being active when he starts up his e-mail, or something. 6. Investigate the unusual IP addresses with a mindset that it is innocent, and try to prove so. Do not assume that any activity is malicious, until you cannot prove otherwise. 7. Save all captures in the event that there is evil-doing. My $0.02 Jeff Peterson Berkeley Technika, Inc. -----Original Message----- From: Andrew Fison [mailto:afison@brit-tex.net] Sent: Wednesday, October 02, 2002 2:37 AM To: incidentsat_private Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with some remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything useful. I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this is legal, they have used other underhand methods against my customer before and they are trying to force him to sign over the business to them a little too swiftly. this all started when his wife was suing the pc, and a telescop came on the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what this telescope could be? yours andrew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 04 2002 - 23:19:04 PDT