tag:blogger.com,1999:blog-6447283518071683105.post4453600798050317976..comments2023-04-02T10:17:04.631-04:00Comments on Forensic Incident Response: Name that hackhogflyhttp://www.blogger.com/profile/00741773109962883616noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-6447283518071683105.post-28621256208577432532008-04-06T09:23:00.000-04:002008-04-06T09:23:00.000-04:00The 1st post has most of it correct. The netcat co...The 1st post has most of it correct. The netcat command is actually an outbound connection, and when it makes connection it will spawn the cmd.exe. <BR/><BR/>If the connection was live, the 1st thing I would decide is to either block it, or sniff it to determine what he was doing. <BR/><BR/>Next I would grab a WFT of the system. Memory analysis could also be helpful if the cmd.exe was the Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-78865770797041578072008-03-29T07:53:00.000-04:002008-03-29T07:53:00.000-04:00Hi!I've visited your blog a few times now and I've...Hi!<BR/>I've visited your blog a few times now and I've noticed that though your articles are *very* interesting there aren't many replies/comments. Anyway, I suppose you run a hit counter somewhere (too lazy to check that) but I thought I'd say "personally": THANK YOU for your postings :)<BR/><BR/>P.S.: I'd have stopped noticing the MySQL stuff :PMr. Obnibolongohttps://www.blogger.com/profile/06101752182004381600noreply@blogger.comtag:blogger.com,1999:blog-6447283518071683105.post-48291586044628728752008-03-26T17:47:00.000-04:002008-03-26T17:47:00.000-04:00Looking at the hex values, right up front what jum...Looking at the hex values, right up front what jumps out is 0x4d5a, or MZ in ascii. These look like dos executable files in hex. Also, these are mysql commands. Likely MySQL running on a windows system, or assumed to run on a windows system. Basically it looks like someone found an open mysql server with access to the root user who happens to have the 'FILE' privilege by default, thus the abilityAnonymousnoreply@blogger.com