Security Basics mailing list archives
AW: XP Box appears to be compromised
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Thu, 7 Aug 2003 08:30:32 +0100
If that doesn't work, then download winlibpcap and ethereal, install, but on hub with computer or switch span port start ethereal say 'start filtering' and use the filter string 'src host MY_IP or dst host MY_IP' without apostrophe and replacing MY_IP with the IP address of the machine should have everything done in 30 minutes the advantage of this approach is that you can save the network traffic. if this thing escalates into an administrative action (firing, discipline, etc.) you want to have that stuff recorded, and you want a second person who can testify that person x was using ip y during the illegal movements. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg ______________ Es gibt 10 arten von Menschen auf dem Planeten, welche die Binär verstehen, und welche die es nicht tun. -----Ursprüngliche Nachricht----- Von: chris [mailto:chris09 () linuxmail org] Gesendet: Wednesday, August 06, 2003 8:40 PM An: security-basics () securityfocus com Betreff: Re: XP Box appears to be compromised In-Reply-To: <D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com> Easiest way to do this is to open a prompt on the box and simply type "netstat -a" if theres someone connected to the box it should point you right to their IP address. Chris www.cr-secure.net
Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000 Received: from outgoing3.securityfocus.com (205.206.231.27) by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000 Received: from lists.securityfocus.com (lists.securityfocus.com
[205.206.231.19])
by outgoing3.securityfocus.com (Postfix) with QMQP id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT) Mailing-List: contact security-basics-help () securityfocus com; run by ezmlm Precedence: bulk List-Id: <security-basics.list-id.securityfocus.com> List-Post: <mailto:security-basics () securityfocus com> List-Help: <mailto:security-basics-help () securityfocus com> List-Unsubscribe: <mailto:security-basics-unsubscribe () securityfocus com> List-Subscribe: <mailto:security-basics-subscribe () securityfocus com> Delivered-To: mailing list security-basics () securityfocus com Delivered-To: moderator for security-basics () securityfocus com Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message Subject: XP Box appears to be compromised MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: quoted-printable Date: Wed, 6 Aug 2003 11:03:31 -0600 Message-ID:
<D8914909A618614AA32CB22F172F3E2D071A88 () dmaul hoth alvalearning com>
X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: XP Box appears to be compromised Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg== From: "Gregory M. Brown" <gbrown () alvalearning com> To: <security-basics () securityfocus com> I've got an issue with what appears to be remote desktop management of an XP box. It's weird... There are deliberate mouse movements on this box. I'm assuming it's an internal person doing this as our FW and Fortinet device will block any remote seizing of a desktop. I've disabled all the XP remote services, and it continues to happen. I could bust open packets with sniffer, but there is a time constraint as the organization laid virtually all IT people off. Imagine that.... What should I be looking for? I need to nail whoever is doing this.=20 Thanks for any help. Greg B. --------------------------------------------------------------------------
-
--------------------------------------------------------------------------
--
--------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- AW: XP Box appears to be compromised Meidinger Chris (Aug 07)