Security Incidents mailing list archives
RE: maybe a simple problem
From: Rob Keown <Keown () MACDIRECT COM>
Date: Sat, 5 Oct 2002 18:22:56 -0400
If you can't get a plain hub in line there is a nice program I found on Securiteam.com that uses arp spoofing and lets establish a bridge between you and the target system. hub. http://www.securiteam.com/tools/5HP0K0K8BG.html Doesn't work for me on XP but does on NT. I believe there is a UNIX version too. Of course, know what you are doing and get permission. Arp spoofing can cause problems. Rob Keown -----Original Message----- From: Jeff Peterson [mailto:jpeterson () btiis net] Sent: Friday, October 04, 2002 1:08 PM To: 'Andrew Fison'; incidents () securityfocus com Subject: RE: maybe a simple problem A good plan of action to detect if the person is being hacked might be this: 1. Insert a simple hub, (not a switch), between his pc and the usual network connection. 2. Attach another PC to this hub, and collect packets using Ethereal. (http://www.ethereal.com/). The hub will allow the sniffer to inspect all packets to and from his machine. 3. Run a capture at all times that his machine is running. 4. Run a capture for an extended period of time when he is _away_ from his machine, but when it is turned on. Sudden bursts of activity during this time would be of great interest. 5. Get a severe coffee buzz, and analyze the captures for suspicious activity. If he is being hacked, you will probably notice some kind of pattern, such as a 3rd IP address suddenly being active when he starts up his e-mail, or something. 6. Investigate the unusual IP addresses with a mindset that it is innocent, and try to prove so. Do not assume that any activity is malicious, until you cannot prove otherwise. 7. Save all captures in the event that there is evil-doing. My $0.02 Jeff Peterson Berkeley Technika, Inc. -----Original Message----- From: Andrew Fison [mailto:afison () brit-tex net] Sent: Wednesday, October 02, 2002 2:37 AM To: incidents () securityfocus com Subject: maybe a simple problem I have a client who believes that thier win98 pc has been hacked with some remote control software. They are pretty vague and not close buy so i cannot look at the machine all the time. I asked them to do netstat when they think they are being spied on but as yet they have not given me anything useful. I think there is reason to believe them as the owner is involed in a hostile boardroom take over of his company by some other entities, whilst this is legal, they have used other underhand methods against my customer before and they are trying to force him to sign over the business to them a little too swiftly. this all started when his wife was suing the pc, and a telescop came on the screen and then disapeared, since then the machine crashes, documents pertaing to the business have gone missing etc, any clues to what this telescope could be? yours andrew ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: maybe a simple problem Brooke, O'neil (EXP) (Oct 02)
- <Possible follow-ups>
- Re: maybe a simple problem Michael Anuzis (Oct 03)
- RE: maybe a simple problem Robinson, Sonja (Oct 03)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Robinson, Sonja (Oct 04)
- RE: maybe a simple problem george . wasgatt (Oct 04)
- RE: maybe a simple problem Clayton Hoskinson (Oct 05)
- RE: maybe a simple problem Jeff Peterson (Oct 05)
- RE: maybe a simple problem Hugo van der Kooij (Oct 05)
- Re: maybe a simple problem tabrams (Oct 05)
- RE: maybe a simple problem Rob Keown (Oct 05)