Assuming someone's watching the screen, there's a good chance they'll close the connection if they see you doing a netstat while they're connected. Doesn't sound like anything related to terminal services (xp remote desktop) as it'll lock the console session while the remote session is active. VNC, however, is more liberal. Could also be any Trojan. Thoroughly scan the machine (TDS, pestpatrol, antivir, etc.), install a software firewall, find out what ports are being used by what processes (www.diamondcs.com.au, the makers of TDS, make a port monitor that works well). If you find nothing and you're sure the machine has been compromised, format.
-----Original Message----- From: chris [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 06, 2003 11:40 AM To: [EMAIL PROTECTED] Subject: Re: XP Box appears to be compromised In-Reply-To: <[EMAIL PROTECTED]> Easiest way to do this is to open a prompt on the box and simply type "netstat -a" if theres someone connected to the box it should point you right to their IP address. Chris www.cr-secure.net >Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT) >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000 >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 >content-class: urn:content-classes:message >Subject: XP Box appears to be compromised >MIME-Version: 1.0 >Content-Type: text/plain; > charset="US-ASCII" >Content-Transfer-Encoding: quoted-printable >Date: Wed, 6 Aug 2003 11:03:31 -0600 >Message-ID: <[EMAIL PROTECTED]> >X-MS-Has-Attach: >X-MS-TNEF-Correlator: >Thread-Topic: XP Box appears to be compromised >Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg== >From: "Gregory M. Brown" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> > >I've got an issue with what appears to be remote desktop management of >an XP box. It's weird... > >There are deliberate mouse movements on this box. I'm assuming it's an >internal person doing this as our FW and Fortinet device will block any >remote seizing of a desktop. I've disabled all the XP remote services, >and it continues to happen. I could bust open packets with sniffer, but >there is a time constraint as the organization laid virtually all IT >people off. Imagine that.... > >What should I be looking for? I need to nail whoever is doing this.=20 > >Thanks for any help. > >Greg B. > > > >-------------------------------------------------------------------------- - >-------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
