RE: maybe a simple problem

[Rob Keown <Keown () MACDIRECT COM>]

If you can't get a plain hub in line there is a nice program I found on
Securiteam.com that uses arp spoofing and lets establish a bridge between
you and the target system.

hub. http://www.securiteam.com/tools/5HP0K0K8BG.html

Doesn't work for me on XP but does on NT. I believe there is a UNIX version
too.

Of course, know what you are doing and get permission. Arp spoofing can
cause problems.

Rob Keown

-----Original Message-----
From: Jeff Peterson [mailto:jpeterson () btiis net]
Sent: Friday, October 04, 2002 1:08 PM
To: 'Andrew Fison'; incidents () securityfocus com
Subject: RE: maybe a simple problem


A good plan of action to detect if the person is being hacked might be this:

1.  Insert a simple hub, (not a switch), between his pc and the usual
network connection.

2.  Attach another PC to this hub, and collect packets using Ethereal.
(http://www.ethereal.com/).  The hub will allow the sniffer to inspect all
packets to and from his machine.

3.  Run a capture at all times that his machine is running.

4.  Run a capture for an extended period of time when he is _away_ from his
machine, but when it is turned on.  Sudden bursts of activity during this
time would be of great interest.

5.  Get a severe coffee buzz, and analyze the captures for suspicious
activity.  If he is being hacked, you will probably notice some kind of
pattern, such as a 3rd IP address suddenly being active when he starts up
his e-mail, or something.  

6.  Investigate the unusual IP addresses with a mindset that it is innocent,
and try to prove so.  Do not assume that any activity is malicious, until
you cannot prove otherwise.

7.  Save all captures in the event that there is evil-doing.

My $0.02

Jeff Peterson
Berkeley Technika, Inc.

-----Original Message-----
From: Andrew Fison [mailto:afison () brit-tex net]
Sent: Wednesday, October 02, 2002 2:37 AM
To: incidents () securityfocus com
Subject: maybe a simple problem


I have a client who believes that thier win98 pc has been hacked with some
remote control software. They are pretty vague and not close buy so i cannot
look at the machine all the time. I asked them to do netstat when they think
they are being spied on but as yet they have not given me anything useful.

I think there is reason to believe them as the owner is involed in a hostile
boardroom take over of his company by some other entities, whilst this is
legal, they have used other underhand methods against my customer before and
they are trying to force him to sign over the business to them a little too
swiftly.

this all started when his wife was suing the pc, and a telescop came on the
screen and then disapeared, since then the machine crashes, documents
pertaing to the business have  gone missing etc, any clues to what this
telescope could be?

yours

andrew



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com