A program called RADMIN.exe could do this. It acts just like being at the
keyboard. Its commonly used in a number of worms and hack kits and I have
found it on one of my machines before and watched the attacker at work.
I put together a forensics batch file that uses a number of free statically
compiled forensic tools to gather volatile forensics information before a
compromised machine is shut down.
Download this ( http://www.infotech.prl.msu.edu/software/win_forensics.zip )
and put it on a usb keychain drive. Run forensicscript.bat on the
compromised machine and review the result audit.log and files.log that it
produces. It will help track down exactly what is going on and provide
useful evidence in the event you want to press charges.
/-----------------------------------------
| Bryan Murphy
| Information Technology Coordinator
| MSU Plant Research Lab and Plant Biology
| http://infotech.prl.msu.edu
\-----------------------------------------
-----------[ 12/20/05 11:00 AM [log in to unmask] ]--------------
> We have an intruder repeatedly breaking in to a main office
> computer(deleting firewalls & antivirus, enabling telnet, installing pirated
> movies, etc.). The most recent incident was Thursday night/Friday morning.
> The Windows XP security log shows a logon type 2 early Friday morning. This
> is supposed to mean a console logon, which would mean that the intruder was
> in the office directly at the keyboard of the attacked computer, instead of
> breaking in over the network.
>
> Question: Is there any other way to get a logon type 2 in the security log?
> Or let's take a poll: How many of you think that our intruder is coming in
> the door, and how many think he is coming over the network?
>
> -- David McFarlane
> Systems Designer
> Michigan State University, Dept. of Psychology
> [log in to unmask]
|