[Dshield] Proof of hacker. What do I do?

dominiquefiori dominiquefiori at numericable.fr
Tue Aug 27 09:46:42 GMT 2002


What is this please ? a news list ? If yes, well we ahd the seme problem :


à) When the attack occurs please stop your internet connection

1) run a anti virus , anti trojan soft.( use 2 at list as  anti virus are
not 100 % proof)

2) Try to determine what port was open /established

3) TCP view looks good but an good old netstat -a (-n to get just IP
addresses).

The philosophy is as follow : get rid of what has established the
connection,

ask yourself :
- files shares with to many authorisations on my system ?
- no antivirus ?
- passwords writen somewhere
- internal mystake or vengeance ( reviewx accounts)
- did I configure windows right, if I ma using Linuwx am I starting to many
services.


You understood me I guess analyse how and why the connection was accepted.

On the other hand if it is on port 80 you might only be surfing.

Warmest regards

dominique "apologuies for my poor english as I am French" Fiori

Tel 00 33 6 73 87 32 62









-----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf Of
Linda
Sent: lundi 26 août 2002 17:00
To: list at dshield.org
Subject: [Dshield] Proof of hacker. What do I do?


TCP d2f2t6:nbsession d2f2t6:0 LISTENING
 TCP d2f2t6:2068 d2f2t6:0 LISTENING
TCP d2f2t6:2070 d2f2t6:0 LISTENING
TCP d2f2t6:2073 d2f2t6:0 LISTENING
TCP d2f2t6:2074 d2f2t6:0 LISTENING
TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
UDP d2f2t6:nbname *:*
UDP d2f2t6:nbdatagram *:*
UDP d2f2t6:1978 *:*
What I did was install TCPVIEW. THen I went into netstat. What I think is
being stopped at my firewall is not being stopped. They are into dos.
Here is my event log that corresponds with this.
2002/08/24 20:50:05 63.210.68.215:80 (unknown.Level3.net) 66.44.192.178:1074
Port 1074 (TCP)
2002/08/24 20:35:48 63.210.68.215:80 (unknown.Level3.net) 66.44.192.178:1075
Port 1075 (TCP)

I didn't get it all copies over because there are 8 entries on the firewall
in a row.

There are also large files showing up that I don't know what they are.

Help!

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list






More information about the list mailing list