Correction: www.ethereal.com not www.ethereal.org RE: Suspicious file on Desktop

In my post below, I referenced the incorrect website for ethereal. It's www.ethereal.com.

-----Original Message-----
From: Eric Greenberg [mailto:eric@netframeworks.com] Sent: Monday, February 10, 2003 11:55 AM To: 'Patrick Fish'; 'incidents@securityfocus.com' Subject: RE: Suspicious file on Desktop

I'll just focus on one aspect of this problem, others will probably offer you other very useful input relating to specific trojan's, etc.

For one thing, I'd recommend, in general, using a network sniffer so that you can see what, if anything, is leaving your machine to/from those IP addresses, especially during bootup. In general, whenvever you suspect anything network-borne on a machine, the first best thing is to look at the wire and see what's happenning. While you can put the analyzer on the same machine you have concerns with, in general it's best to put it another machine. Setup another machine with Ethereal
(http://www.ethereal.org) of if you want a commercial product, you could
consider http://www.tamos.com. Get a hub (not a switch) if possible and put your machine on that hub. Put the network analyzer on the hub. If this is a dial-up connection, you have several options but the first one
(which may not be forensically-sound), would be to run the analyzer on
your own machine.
Regards,
Eric

-----Original Message-----
From: Patrick Fish [mailto:patrick@pwhsnet.com] Sent: Monday, February 10, 2003 5:12 AM
To: incidents@securityfocus.com
Subject: Suspicious file on Desktop

Hi,

I've been trying to figure out why there is a "Startup.log" file on my desktop. I've searched mail archives and google, but didn't find anything about this. The file contains:

(Last octet of IP removed)

CONNECTION: [01/26/03 21:50 UTC] 62.163.176.xx
CONNECTION: [01/26/03 21:56 UTC] 67.192.41.xxx
CONNECTION: [01/26/03 22:01 UTC] 67.192.41.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:46 UTC] 65.65.81.xxx
CONNECTION: [02/06/03 08:49 UTC] 80.194.40.xxx
CONNECTION: [02/06/03 09:06 UTC] 144.134.163.xx
CONNECTION: [02/06/03 09:11 UTC] 216.249.81.xx
CONNECTION: [02/06/03 09:46 UTC] 136.165.87.xxx
CONNECTION: [02/06/03 09:47 UTC] 211.28.63.xxx

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

After resolving a few of them, these are all people I know pretty well on IRC. I can't figure out what's causing this - I don't use a mIRC script, I don't have a firewall (XP firewall is disabled) -- I do have Norton 2003 Pro. I'm using Windows XP Pro on Service Pack 1a, but the file was created before I installed SP1a

I've checked my process list, and there's nothing running that shouldn't be.

Has anything seen something similar or know what's causing this?

Thanks.

--
Patrick Fish



------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com