|
Posted by Pedro Leite on October 18, 2005, 11:04 am
Please log in for more thread options
hello everybody
this morning i found a strange file on my c:\ root
this one --> sc12.bin.incr.2005.10.17.14.16.10.2005.10.17.19.30.28.utp
created on 17 - oct at 22:38:10 , owned by the administrators group. i
didn't do it.
the setup is sbs2k3, running isa as a firewall.
on the packet filter logs for isa, i found :
from 22:00 onwards, some allowed connections on port 80, and some allowed
connections on remote port 110, due to the pop3connector retreiveing mail.
all other connections are reported as blocked, including on port 135 at
22:38:10
PFlogDate PFlogTime SourceAddress DestinationAddress Protocol Param#1
Param#2 TcpFlags FilterRule Interface IPHeader IPHeaderDump Payload
PayloadDump
17-10-2005 22:38:10 81.193.19.13 xx.xx.xx.xx Tcp 4715 445 SYN
BLOCKED Dialout 45 00 00 30 d6 87 40 00 7e 06 f4 99 51 c1 13 0d 51 c1 7b
17
12 6b 01 bd 3b 4d 93 ea 00 00 00 00 70 02 75 30 f8 f0 00 00 02 04 05 ac
01 01 04 02
still, does this means i have been hacked ?
how can i make sure i have been, or not, hopefully
many thanks
Pedro Leite, from Portugal
| 
XML Sitemap