Results 1 to 6 of 6

Thread: backoffice

Hybrid View

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Posts
    6

    backoffice

    i just found a pc with a instances of mssql running on it named backoffice1. when i do a netstat it shows it connected to a public ip that belongs China Unicom according to the whois site. I am guessing its reload time but I want to learn from this. What can i do to see what is really going on or more about tracking down where it came from.

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I would throw wireshark [or another packet sniffer] on there, and use a filter to show only packets dealing with the ip in question. In wireshark, you could use:

    Code:
    ip.addr == 1.2.3.4
    Where 1.2.3.4 = the public IP you are seeing in netstat.

    Edit: It might be good to look at other traffic on the machine as well, just to see if there is anything else happening on there.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    THE Bastard Sys***** dinowuff's Avatar
    Join Date
    Jun 2003
    Location
    Third planet from the Sun
    Posts
    1,253
    Hey are you sure it's not backoriface?
    09:F9:11:02:9D:74:E3:5B8:41:56:C5:63:56:88:C0

  4. #4
    Junior Member
    Join Date
    Oct 2009
    Posts
    6
    i double checked it its just backoffice1

    wireshark didn't show the ip that netstat displayed. I don't really want to leave it on the network any longer they i have to.

    it did use a different public ip but whois says its the same place.

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Hmm... You probably already know this, but if it is infected, and on a domain, make sure that you NEVER log in as a domain admin!

    What port did netstat report as being used?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Member
    Join Date
    Jul 2009
    Posts
    45

    wireshark & tcpdump - on another pc

    I would second the wireshark suggestion or using TCPDump to capture ... but from a different pc.

    Create an isolated network ... give your "found" machine an ip that isn't part of your normal network, connect it directly to another PC sharing its internet connection (or *nix based firewall & routing) so that you can log *externally* to the machine in question, every packet ...

    Look for packets that start a connection ... most commonly used protocols include user/pass/very interesting packets in the first few I/O attempts in any given session.

    ie.. if you were looking at an email program (say Outlook for instance) .. then within the first 3 or 4 packets you'd see your Pop user & password in clear text .. first few packets going to a web server? you'd see the http GET request

    so too, when you capture all packets, look back at the ip's and the ports used, id the unique or interesting destinations, then figure out the code being sent within the first 1 to 10 packets.. same every time? alternates? does it send the same packets to other targets? (ie. trying to reach C&C servers?) etc..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •