In-Reply-To: <[EMAIL PROTECTED]> Easiest way to do this is to open a prompt on the box and simply type "netstat -a" if theres someone connected to the box it should point you right to their IP address.
Chris www.cr-secure.net >Received: (qmail 22282 invoked from network); 6 Aug 2003 18:15:44 -0000 >Received: from outgoing3.securityfocus.com (205.206.231.27) > by mail.securityfocus.com with SMTP; 6 Aug 2003 18:15:44 -0000 >Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) > by outgoing3.securityfocus.com (Postfix) with QMQP > id DF73DA3163; Wed, 6 Aug 2003 12:18:42 -0600 (MDT) >Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm >Precedence: bulk >List-Id: <security-basics.list-id.securityfocus.com> >List-Post: <mailto:[EMAIL PROTECTED]> >List-Help: <mailto:[EMAIL PROTECTED]> >List-Unsubscribe: <mailto:[EMAIL PROTECTED]> >List-Subscribe: <mailto:[EMAIL PROTECTED]> >Delivered-To: mailing list [EMAIL PROTECTED] >Delivered-To: moderator for [EMAIL PROTECTED] >Received: (qmail 12361 invoked from network); 6 Aug 2003 10:56:22 -0000 >X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 >content-class: urn:content-classes:message >Subject: XP Box appears to be compromised >MIME-Version: 1.0 >Content-Type: text/plain; > charset="US-ASCII" >Content-Transfer-Encoding: quoted-printable >Date: Wed, 6 Aug 2003 11:03:31 -0600 >Message-ID: <[EMAIL PROTECTED]> >X-MS-Has-Attach: >X-MS-TNEF-Correlator: >Thread-Topic: XP Box appears to be compromised >Thread-Index: AcNcPKmigN12jsnKTyK/Qlaav5Jhdg== >From: "Gregory M. Brown" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> > >I've got an issue with what appears to be remote desktop management of >an XP box. It's weird... > >There are deliberate mouse movements on this box. I'm assuming it's an >internal person doing this as our FW and Fortinet device will block any >remote seizing of a desktop. I've disabled all the XP remote services, >and it continues to happen. I could bust open packets with sniffer, but >there is a time constraint as the organization laid virtually all IT >people off. Imagine that.... > >What should I be looking for? I need to nail whoever is doing this.=20 > >Thanks for any help. > >Greg B. > > > >-------------------------------------------------------------------------- - >-------------------------------------------------------------------------- -- > > --------------------------------------------------------------------------- ----------------------------------------------------------------------------
