If that doesn't work, then download winlibpcap and ethereal, install, but on hub with computer or switch span port start ethereal say 'start filtering' and use the filter string 'src host MY_IP or dst host MY_IP' without apostrophe and replacing MY_IP with the IP address of the machine should have everything done in 30 minutes
the advantage of this approach is that you can save the network traffic. if this thing escalates into an administrative action (firing, discipline, etc.) you want to have that stuff recorded, and you want a second person who can testify that person x was using ip y during the illegal movements. badenIT GmbH System Support Chris Meidinger Tullastrasse 70 79108 Freiburg ______________ Es gibt 10 arten von Menschen auf dem Planeten, welche die Binär verstehen, und welche die es nicht tun. -----Ursprüngliche Nachricht----- Von: chris [mailto:[EMAIL PROTECTED] Gesendet: Wednesday, August 06, 2003 8:40 PM An: [EMAIL PROTECTED] Betreff: Re: XP Box appears to be compromised In-Reply-To: <[EMAIL PROTECTED]> Easiest way to do this is to open a prompt on the box and simply type "netstat -a" if theres someone connected to the box it should point you right to their IP address. Chris www.cr-secure.net >Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT) >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000 >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 >content-class: urn:content-classes:message >Subject: XP Box appears to be compromised >MIME-Version: 1.0 >Content-Type: text/plain; > charset="US-ASCII" >Content-Transfer-Encoding: quoted-printable >Date: Wed, 6 Aug 2003 11:03:31 -0600 >Message-ID: <[EMAIL PROTECTED]> >X-MS-Has-Attach: >X-MS-TNEF-Correlator: >Thread-Topic: XP Box appears to be compromised >Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg== >From: "Gregory M. Brown" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> > >I've got an issue with what appears to be remote desktop management of >an XP box. It's weird... > >There are deliberate mouse movements on this box. I'm assuming it's an >internal person doing this as our FW and Fortinet device will block any >remote seizing of a desktop. I've disabled all the XP remote services, >and it continues to happen. I could bust open packets with sniffer, but >there is a time constraint as the organization laid virtually all IT >people off. Imagine that.... > >What should I be looking for? I need to nail whoever is doing this.=20 > >Thanks for any help. > >Greg B. > > > >-------------------------------------------------------------------------- - >-------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------