|
Posted by jhunter on May 1, 2006, 1:15 pm
Please log in for more thread options
What's the most logical way, on our Windows server or workstations, to
determine if someone has hacked in and is using our machines to
distribute spam?
|
|
Posted by Robert Moir on May 1, 2006, 2:08 pm
Please log in for more thread options
jhunter@huntercomputerinc.com wrote:
> What's the most logical way, on our Windows server or workstations, to
> determine if someone has hacked in and is using our machines to
> distribute spam?
Based on the very thin information we have here I'd go for
* put a packet sniffer on the network, watch for unexplained traffic
* monitor the internet connection, watch for sustained, high, unexplained
traffic.
|
|
Posted by Brooster on May 1, 2006, 2:39 pm
Please log in for more thread options If your computer is hacked, you cannot trust any data that you get from the
hacked operating system... The only sure way to remove it would be to flatten
it.
For spam, it is possible but not always true, that the program sending mail is
listening on port 25, so a port scan from an external computer on those systems
would identify it, as would a telnet to port 25.
External firewall logs, etc, can help depending on the configruation.
|
|
Posted by jhunter on May 1, 2006, 4:57 pm
Please log in for more thread options I'm a complete rookie regarding this type of issue. Could you point me
in the right direction with regards to port scanning products and using
telnet on port 25?
|
|
Posted by Robert Moir on May 1, 2006, 5:49 pm
Please log in for more thread options jhunter@huntercomputerinc.com wrote:
> I'm a complete rookie regarding this type of issue. Could you point me
> in the right direction with regards to port scanning products and
> using telnet on port 25?
http://www.gfi.com/lannetscan/ might get you started.
With respect, if you don't know how to even begin looking around to find a
port scanner on the web, then perhaps you should get help from someone who
does know how this kind of thing works.
I'm not trying to be rude, but you say yourself that you're new to solving
this kind of problem, and you want to be certain you've nailed this issue
down one way or another, right?
--
--
Rob Moir, Microsoft MVP
Blog Site - http://www.robertmoir.com
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html
I'm always surprised at "professionals" who STILL have to be asked "Have you
checked (event viewer / syslog)".
|
| Similar Threads | Posted | | Been hacked about 4 times now. Wanna be the 5th? | June 2, 2006, 8:59 pm |
| Hacked 2003 SBS Server - temp fix required | April 13, 2008, 2:35 pm |
| Server has been hacked, need to delete hidden user account | May 25, 2007, 5:44 am |
| determine folder permission for group | February 2, 2007, 5:01 am |
| Determine User Logged Into Remote Machine | December 8, 2005, 2:46 am |
| How to Determine Which Service in LSASS.EXE Binds to Port X? | September 27, 2007, 4:24 am |
| How to open LSA API on Win2k in order to determine if a computer is member of domain | October 17, 2007, 5:45 am |
|
XML Sitemap