Charles Stack on Mon, 22 May 2000 13:24:18 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

RE: [PLUG] OT: Suspected hacker attack - Can anyone advise?


Send a copy of the message or script to the Norton and McAffee so we can all
be protected from it.
Also, make sure that you have the latest patches installed for IE.  Turn of
scripting.  That should solve your problem in the  future.

Charles

-----Original Message-----
From: plug-admin@lists.nothinbut.net
[mailto:plug-admin@lists.nothinbut.net]On Behalf Of Jim McCoy
Sent: Monday, May 22, 2000 1:18 PM
To: 3000-L; plug@lists.nothinbut.net
Cc: Kosick, Rick
Subject: [PLUG] OT: Suspected hacker attack - Can anyone advise?


In my email this morning, I found a suspicious email which I had enough
sense not
to open.  Bit I was still outsmarted by it.

It was from an odd/unidentifiable email address with a subject of "How are
you?".
There was no attachment.  I had the Preview pane in Outlook activated and
the
message was blank.

Apparently a script was able to activate that launched MSIE and linked to a
foreign
web site.  I got a dialog box warning that a character set had to be
installed to view the
site correctly and  characters began scrolling across the message box.
This was all happening as I was reaching for the power switch.  I went for
it as soon as I
saw what was happening.  This ran for probably 3-5 seconds.

I found 97 files either created or modified by this process.  In addition to
some my system files there were 2 files modified:  My outlook folders
dedicated to the 2
listservs that this mail is being sent to:  The HP-3000L and Philadelphia
Linux User Group.

There was a new directory called FOUND.0000 with 38 numbered files in it:
FOUND0001.CHK - FOUND0038.CHK  Most of these files are unreadable.
One of them contains bits of emails that were sent to these lists with IP
Addresses.
Others appear to contain internet account related information.  I identified
some
phone numbers and the letters PPP appear in a number of the files.

I know this did not replicate itself and get sent out to others in my
address book, because it would have gone to these lists.  plus my email
address is at the top of my address book so it would have come back to me.

This does not appear to be a virus.  I think it was a hacker looking for
internet account, IP Address and password information.

I'll be changing my passwords and buttoning down my system and advising my
ISP.

My guess would be that this script was collecting information that would be
sent back to it's creator.  If any of these files did make it back, then
they managed to grab some of
your IP Addresses.  I don't know how much value an IP Address alone can have
to a hacker.  But I guess you just need to be on alert.

I am still assessing my system and may come up with more information later.

If anyone has any words of wisdom please advise.

Thanks.

Jim Mc Coy



______________________________________________________________________
Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug


______________________________________________________________________
Philadelphia Linux Users Group       -       http://plug.nothinbut.net
Announcements - http://lists.nothinbut.net/mail/listinfo/plug-announce
General Discussion   -   http://lists.nothinbut.net/mail/listinfo/plug