LISTSERV - HP3000-L Archives

HP3000-L Archives

May 2000, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L May 2000, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: Suspected hacker attack - Can anyone advise?
From:	"Emerson, Tom # El Monte" <[log in to unmask]>
Reply To:	Emerson, Tom # El Monte
Date:	Mon, 22 May 2000 19:36:52 -0400
Content-Type:	text/plain
Parts/Attachments:	text/plain (62 lines)

I'll put your mind to ease "just a bit" one at least one of these items:

> -----Original Message-----
> From: Jim McCoy [mailto:[log in to unmask]]
>
> In my email this morning, I found a suspicious email which I
[...]
> Apparently a script was able to activate that launched MSIE
[...]
> This was all happening as I was reaching for the power
> switch.
[...]
> There was a new directory called FOUND.0000 with 38 numbered
> files in it:
> FOUND0001.CHK - FOUND0038.CHK  Most of these files are unreadable.

This would be your own doing -- undoubtably, when you re-applied power to
your system, you got the finger-wagging blue screen telling you to "properly
shut down" to "avoid seeing this message".  These ".chk" files are the
bits-and-pieces of files that "scandisk" found as "no longer attached to
anything recognizable", and if "reading e-mail" was an in-progress task when
you pulled the rug, it's no wonder you see bits-and-pieces of e-mail
messages in the "found...." files.  (did the scandisk process ask you if you
wanted to make an "undo" disk?  If so, this is very likely the cause of your
problem)


[...]
>
> This does not appear to be a virus.  I think it was a hacker
> looking for
> internet account, IP Address and password information.
>

I think I've seen this (or similar) messages on my system.  While I cannot
be 100% certain [who can, nowadays?] I think there are/were two things
happening here:

   1) this message did indeed originate in china and does indeed contain
text "in chinese", hence the need to download/auto-install chinese font
support.  Not that you can "see" it, but if you could, you'd "see" that this
"font support" is downloaded from Microsoft's servers, not some
unamed/unidentified "hacker" site.  (then again, with the way this works,
MS's site IS an unamed/unidentified "hacker" site...)

   2) the "web page" that is displayed ALSO plays a midi/mp3 file as
"background music", hence the references to "music sites in china" [which
someone else noted]  From what I could make out, (I don't read chinese, but
there was some "english" text sprinkled about) these were offers of "1000
copies of 'xyz' CD" (at a presumed fantastic price)  whether these are music
CD's or commercial programs I cannot tell, but with the music as a
background, I suspect these are music CD's and perhaps the "music" being
played is what's on the CD.  [In either case, however, I suspect they are
"pirated" anyway, and they're looking for a distribution channel...]

finally, most (?) people are using "dial up" connections and (therefore)
receive new-and-different IP addresses each time.  Only "currently active"
sessions would have the same IP address, and since e-mail is "historical" in
nature (in this case), any "IP" information gleaned from an e-mail message
would likely be useless since it's guaranteed to be "out of date" the moment
you receive it...

ATOM RSS1 RSS2

RAVEN.UTC.EDU