Abel & Cain ?

Discussion in 'malware problems & news' started by anhfhsk, Jan 30, 2004.

Thread Status:
Not open for further replies.
  1. anhfhsk

    anhfhsk Guest

    I suspect someone is running "Abel & cain" on the network, as when doing NETSTAT on a machine i found this:
    TCP PC114:3200 oxid.it:netbios-ssn TIME_WAIT
    TCP PC114:3221 oxid.it:microsoft-ds TIME_WAIT
    TCP PC114:3226 oxid.it:netbios-ssn TIME_WAIT
    TCP PC114:3227 oxid.it:netbios-ssn TIME_WAIT
    TCP PC114:3228 oxid.it:netbios-ssn TIME_WAIT
    TCP PC114:3229 oxid.it:netbios-ssn TIME_WAIT
    TCP PC114:3231 dc.m-net.net:netbios-ssn ESTABLISHED
    TCP PC114:3233 dc.m-net.net:epmap TIME_WAIT

    "oxid.it" is some sort of hacker/spyware/cracker site and it shouldn't be listed there. Or what's going on?
    Question: How do i find and remove the related files? Will NOD32 find them?
  2. controler

    controler Guest

    Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program comes in two versions because of the differences and limitations of some API.

    Version 2.5 is faster and contains a lot of new features like APR (Arp Poison Routing) which enables sniffing on switched LANs by hijacking IP traffic of multiple hosts at the same time. The sniffer can also analyze encrypted protocols such as SSH-1 and HTTPS if used with APR and a Man-in-the-middle situation. Cain also ships routing protocols authentication monitors and routes extractors, crackers for all common hashing algorithms and for other various specific authentications, password calculators (Cisco PIX Hashes, RSA SecurID Tokens), decoders (Access Databases, Base64, Cisco Type-7, Enterprise Manager, Dialup, Remote Desktop) and some utilities like the Cisco Config Downloader/Uploader, the SiD-Scanner, the LSA Secrets Dumper, the Protected Storage Passwords Viewer, the NT Hash-Dumper (works with Syskey enabled), the Abel Remote Console, the MAC Scanner, the Promiscuous-Mode Scanner and the TCP/UDP/ICMP Traceroute + DNS Resolver + Netmask Discovery + WHOIS resolver (extract informations from RIPE's Database).
    However the program is still in beta and may contain bugs.

    Do you have a friewall?
  3. anhfhsk

    anhfhsk Guest

    No matter what things A & C can do, it's a backdoor/keylogger/hijacker and i don't want it on the network. Just as NOD detects subseven, it should also detect A & C.
    I have a firewall and the network is switched, but that doesn't help much as this is a school and the attacks comes from within the LAN.
Thread Status:
Not open for further replies.