RE: Suspicious file on Desktop

From: Michael LaSalvia (mikeat_private)
Date: Mon Feb 10 2003 - 08:58:56 PST

Next message: Rev. Kronovohr: "RE: Increased Kuang2 activity"

Previous message: Jason Dixon: "RE: Increased Kuang2 activity"
In reply to: Patrick Fish: "Suspicious file on Desktop"
Next in thread: PAUL_TAYLORat_private: "Re: Suspicious file on Desktop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

May I suggest checking the run option in your registry. See if any there
looks suspicious. Also check the svchost processes. It has been know for irc
bots to be hidden as system names so they are not easily found in the task
manager. I figure you had a week password and they mapped your c$ or
exploited another windows vulnerability and placed a bot of some sort, since
you had no firewall. But that is only a guess cause I don't have more info
about your system. I suggest searching for these files (secure.bat, psexec,
kill) there are a few others but I cant remember their names right now. Also
run a netstat to see what connections are coming in and out of your pc. This
can help in solving the mystery of what's going on.

-----Original Message-----
From: Patrick Fish [mailto:patrickat_private]
Sent: Monday, February 10, 2003 5:12 AM
To: incidentsat_private
Subject: Suspicious file on Desktop


Hi,

I've been trying to figure out why there is a "Startup.log" file on my
desktop. I've searched mail archives and google, but didn't find anything
about this. The file contains:

(Last octet of IP removed)
CONNECTION: [01/26/03 21:50 UTC] 62.163.176.xx
CONNECTION: [01/26/03 21:56 UTC] 67.192.41.xxx
CONNECTION: [01/26/03 22:01 UTC] 67.192.41.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:49 UTC] 80.194.40.xxx
CONNECTION: [02/06/03 09:06 UTC] 144.134.163.xx
CONNECTION: [02/06/03 09:11 UTC] 216.249.81.xx
CONNECTION: [02/06/03 09:46 UTC] 136.165.87.xxx
CONNECTION: [02/06/03 09:47 UTC] 211.28.63.xxx


After resolving a few of them, these are all people I know pretty well on
IRC. I can't figure out what's causing this - I don't use a mIRC script, I
don't have a firewall (XP firewall is disabled) -- I do have Norton 2003
Pro. I'm using Windows XP Pro on Service Pack 1a, but the file was created
before I installed SP1a

I've checked my process list, and there's nothing running that shouldn't be.

Has anything seen something similar or know what's causing this?


Thanks.


--
Patrick Fish



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Rev. Kronovohr: "RE: Increased Kuang2 activity"
Previous message: Jason Dixon: "RE: Increased Kuang2 activity"
In reply to: Patrick Fish: "Suspicious file on Desktop"
Next in thread: PAUL_TAYLORat_private: "Re: Suspicious file on Desktop"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Feb 10 2003 - 11:54:52 PST