[Dshield] Proof of hacker. What do I do?
dominiquefiori at numericable.fr
Tue Aug 27 09:46:42 GMT 2002
What is this please ? a news list ? If yes, well we ahd the seme problem :
à) When the attack occurs please stop your internet connection
1) run a anti virus , anti trojan soft.( use 2 at list as anti virus are
not 100 % proof)
2) Try to determine what port was open /established
3) TCP view looks good but an good old netstat -a (-n to get just IP
The philosophy is as follow : get rid of what has established the
ask yourself :
- files shares with to many authorisations on my system ?
- no antivirus ?
- passwords writen somewhere
- internal mystake or vengeance ( reviewx accounts)
- did I configure windows right, if I ma using Linuwx am I starting to many
You understood me I guess analyse how and why the connection was accepted.
On the other hand if it is on port 80 you might only be surfing.
dominique "apologuies for my poor english as I am French" Fiori
Tel 00 33 6 73 87 32 62
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Sent: lundi 26 août 2002 17:00
To: list at dshield.org
Subject: [Dshield] Proof of hacker. What do I do?
TCP d2f2t6:nbsession d2f2t6:0 LISTENING
TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
UDP d2f2t6:nbname *:*
UDP d2f2t6:nbdatagram *:*
UDP d2f2t6:1978 *:*
What I did was install TCPVIEW. THen I went into netstat. What I think is
being stopped at my firewall is not being stopped. They are into dos.
Here is my event log that corresponds with this.
2002/08/24 20:50:05 220.127.116.11:80 (unknown.Level3.net) 18.104.22.168:1074
Port 1074 (TCP)
2002/08/24 20:35:48 22.214.171.124:80 (unknown.Level3.net) 126.96.36.199:1075
Port 1075 (TCP)
I didn't get it all copies over because there are 8 entries on the firewall
in a row.
There are also large files showing up that I don't know what they are.
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list