I'd try some manual inspection since most AVs are best at detecting known malware.
This script is good at auditing autorunning programs http://www.silentrunners.org/ Other than that, maybe some rootkit detection tools. http://technet.microsoft.com/en-us/sysinternals/bb897445.aspx I know I've heard of some others too. Jeff On Wed, Aug 26, 2009 at 12:26 PM, David W. McSpadden <[email protected]>wrote: > Nope ACL's on the switches would kill that vector. > > > ----- Original Message ----- > *From:* Daniel Rodriguez <[email protected]> > *To:* NT System Admin Issues <[email protected]> > *Sent:* Wednesday, August 26, 2009 12:22 PM > *Subject:* Re: Reporting user fraud > > David, > > You thinking someone brought in their personal laptop and plugged it into > the network? If laptop was compromised, it could have infected other > computers on the network. > > On Wed, Aug 26, 2009 at 12:20 PM, Andy Ognenoff <[email protected]>wrote: > >> Could this person login from a remote system (obviously if an >> unauthorized person could, then probably yes)? If it was a phishing email, >> could it have been on a personal computer? You wouldn’t see any trace of the >> malware on the corporate PC but maybe the personal is what’s infected. >> >> - Andy O. >> ------------------------------ >> >> *From:* David W. McSpadden [mailto:[email protected]] >> *Sent:* Wednesday, August 26, 2009 11:16 AM >> *To:* NT System Admin Issues >> *Subject:* Re: Reporting user fraud >> >> >> >> FBI pointed to phishing email with a drive by bot\keylogger. >> >> But Trend\VipreRescue\Spybot all come back negative??? Even using Fport >> scanner I don't see anything out of the ordinary??? >> >> ----- Original Message ----- >> >> *From:* Daniel Rodriguez <[email protected]> >> >> *To:* NT System Admin Issues <[email protected]> >> >> *Sent:* Wednesday, August 26, 2009 12:06 PM >> >> *Subject:* Re: Reporting user fraud >> >> >> >> Hmmm.... this sounds what happened to Bullit County in Louisville, Ky. >> Someone was logging into the county network and was able to get $416K wired >> out of the country. They just reported it about two months ago. Seems that >> some hacker group was able to access their system and used login and >> passwords of users within the system. >> >> It is fixed, now, and they were able to recover a majority of the money. >> They think that one, or some, of the users were either surfing where they >> were not supposed to, or someone received some type of phishing email. >> >> >> On Wed, Aug 26, 2009 at 11:40 AM, Jon Harris <[email protected]> >> wrote: >> >> You forgot HR some of them can create positions with salaries or modify a >> persons salary. Either way money could be leaking out that should not be. >> >> >> >> Jon >> >> On Wed, Aug 26, 2009 at 11:12 AM, Jonathan Link <[email protected]> >> wrote: >> >> A is too specific, could've been brute force or an easily guessed password >> in addition to malware/keylogger. >> >> Can you determine what was accessed with any degree of certainty? What >> regulatory agencies is your organization governed by? I'd start with that. >> >> >> >> Interestingly, did you read this Washington Post article? >> >> >> http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?nav=hcmodule&sid=ST2009082500907 >> >> (beware the wrap) >> >> I would also review banking information if this person is at all involved >> with bookkeeping, AP or AR functions. >> >> On Wed, Aug 26, 2009 at 10:59 AM, David W. McSpadden <[email protected]> >> wrote: >> >> If someone has access to your ssl website with valid username and password >> you assume that either 1 of 2 things have happened: >> >> A someone has a keylogger and their computer is compromised. >> >> B someone just out and out gave the information away. >> >> >> >> Is that a correct assessment? >> >> >> >> If you have the IP from the 'hacker' that accessed your website who do you >> report it too??? >> >> Most likely it is a bot and nothing can be done but who do you report it >> too none the less??? >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
