Computer invisible on corporate network

[ephil75]

Bear with me I am somewhat preturbed. Someone at my company is able to netsend me and interupting my concentration. Their computer name appears on the net send message but I can't ping that name. I think they are also using some form of remote control agent to take control of my PC because my cursor starts jumping around the screen. I have a good idea who it is but, can't prove it.
1. How is it possible for netsend to be sent from this computer when I can't ping it?
2. How can I find out who is doing this so I can confront them without them saying "It's not me."?
3 Is there a configuration that I can make on an XP Pro workstation, that doesn't involve installing software, so that this person can not invade my computer in these ways?

Thanks for your help,
EP

 

[nastrodamus]

what errors do you get when you try to ping this machine...

Net send itself cannot initiate remote control of the machine...(well not that I know of).

The person will have to have either have access to admin priviledges and has the Admin pack for windows installed on his machine, or has a third party software installed on his machine.

hhhmmm....

The only other way I can think of is if he used some MSDOS Commands.....eg... ROUTE.

The site below will give you some of the major MS DOS commands, what they do and example.

http://www.computerhope.com/msdos.htm#03

 

[CrashAbbott]

You need to DISABLE your MESSENGER SERVICE

this will stop the NET SEND ability on your system.

Go into the control panel, and look for ADMINISTRATIVE TOOLS> then SERVICES > look for MESSENGER SERVICE

Double clik on it and set the STARTUP TYPE TO DISABLE or MANUAL

OK outta there,,,

As for the Remote aspect,, there are very small utilities that are able to be installed from a floppy that can install a REMOTE client on your machine,, problem is,, what did this person possibly install? This would allow them to initiate the remote from their PC, and connect to the HOST (your PC) and then give them the options of what to take over,, I used to have one called "bartender"

Additionally,, if the OS we are talking about is XP,, then the REMOTE ASSISTANCE might be enabled on your machine,,, One could set it up quickly via SYSTEM PROPERTIES>REMOTE,,

check in there and see if the "Allow users to connect to this workstation ..." is checked off,,,if so,, UNCHECK IT,, Further ,, UNCHECK the "Allow remote assistance..." box,,

just to make sure,,

Good Luck

Cheers

 

[Inaris]

There is a program called DAMEWARE that will allow remote to anymachine without user intervention and without really telling you anything. You will see an icon in the systray now and again, but there is a service running that identifies it directly.
We used that in our environment for a while, but some overzelous techs thought it would be a good idea to spy on the boss... Well, let's just say we don't use that anymore and have it blocked from the machine.
If the Guy in question is an admin to your machine, he can do pretty much anything he wants. The only way to stop him involves things that might cause you problems on your network anyway...
But as Crash said, kill the messenger service and you won't get the prompts anymore.
There is also and eventlog generated under system log for application Popup. That will tell you from what machine the messsage came from.
For your proof...
Good luck...

 

[DotCom]

I had DAMEWARE installed on my computer by someone who decided to monitor my activity. I still to this day do not know who it was, however I contacted DAMEWARE and they wrote me back saying that their intent when creating the program was not to allow anyone remote access but it is possible that is happening, and gave me removal instructions. It was a while ago but I believe I just used DOS commands to remove it since it wasn't allowing me to delete it from my program files. If it was DAMEWARE you would see the system icon sitting down there.

 

[ekÆsine]

never tried dameware, but pcAnywhere has a system tray icon too. by closing it from the tray you would immediately disconnect any remote sessions. shouldn't you be able to uninstall this remote control software like pcAnywhere without DOS as long as you have admin privledge?

also do what inaris says. disable remote desktop and disable terminal services. a firewall would block all remote control software i am pretty sure.

 

[DotCom]

Well see you should be able to remove the software, however if it was maliciously installed it is like spyware, and when you try to delete it normally it says that you cannot delete this program because it is in use.

 

[Inaris]

Dameware runs in a service and can be completely hidden from the user. It's a really robust program for remote, but has the potential for malicios use. I suspect the guy doing this is not bright, but is instead using built in windows stuff and maybe something like SMS remote. you can configure SMS remote to not show the Icon as well as no user prompts. and if the mouse is jerking around, I would suspect SMS over Dameware.

 

[office politics]

Are you trying to ping a netbios name or a ip address? It would be possible for the sending comp to block IMCP traffic (ping) and able to use net send (tcp or ip?).

The sender could also be changing his netbios name to avoid being caught, but if you could log the traffic you'd be able to catch the person by recognizing the ip address.
-------------------------------------
from: http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999041209131106
What is a Trojan horse?
Trojan Horses are impostors--files that claim to be something desirable but, in fact, are malicious. A very important distinction between Trojan horse programs and true viruses is that they do not replicate themselves. Trojans contain malicious code that when triggered cause loss, or even theft, of data. For a Trojan horse to spread, you must, invite these programs onto your computers--for example, by opening an email attachment or downloading and running a file from the Internet. The PWSteal.Trojan is a Trojan.
------------------------------------

Common trojans include netbus, subseven, & BackOrifice

The named above install a host service on your machine that normally has to be started on boot, so check all startup locations (don't forget the registry!!! actually check it first). I believe most of these viruses communnicate on different ports so port blocking is out.

There are apps to scan for trojans, i believe moosoft is a popular one. Any virus scanner should pick these up as well.

I've never heard of anyone exploiting the Remote Assistance feature in XP. Also, to start one of these sessions, the user must send an invitation by win messenger or email.

------------------------

from: http://www.webopedia.com/TERM/T/Trojan_horse.html
Trojan horse

A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer.

The term comes from a story in Homer's Iliad, in which the Greeks give a giant wooden horse to their foes, the Trojans, ostensibly as a peace offering. But after the Trojans drag the horse inside their city walls, Greek soldiers sneak out of the horse's hollow belly and open the city gates, allowing their compatriots to pour in and capture Troy.
--------------------------------

 

[Inaris]

csamuels,
What does your last post have to do with this thread? Aside from the little tidbit about remot assist, ther rest is just added jargon.
Dameware isn't a Trojan, if that is what you are implying. The program operates so that it loads and runs the service needed, and then when you are done, it will delete the service on close. it's a very nice app, not a trojan. And Torjan seekers will not pick it up either. The problem this guy was/is having is centered around another person causing probles using a remote application/machine interface.