Hello to all,
The other day I had a problem with a computer. it has a static addressing (IP, gateway, DNS) and it couldn't surfing the Internet. After a little bit I could realize that static gateway IP was changed, in other words Thursday the configuration was ok and Friday was bad. Until I know no one of the department has changed the IP of the gateway and the user hasn't any privileges. So,
1. Is there any malware which change this IP?
2. In case that someone has changed this registry key and taking account that we had to change because the user needed to access applications and email, which evidence we can look for to find what happened?
The PC has installed Windows XP SP3.
Thanks in advance.
There is malware, DNS changer. It could have affected the system if you are seeing that the IP changes.
There are similar trojans of this kind. If it is the reason, then you have to quickly heal your system.
The PC has installed Windows XP SP3.
I think this answers the question. XP is very insecure and should not be used because its discontinued. Meaning, no more patches for any new malware or exploits and that exposes you to many possible issues.
which evidence we can look for to find what happened?
If you got a memory dump, that would be a good start. Following proper evidence and response steps will help you preserve as much as possible to determine what is the root cause.
Thanks to both,
We don't have a memory dump so I can't see anything apart from log files and in XP. About malware the strange question for me is that only changes gateway IP and the user has a deny of service (corporative applications, email, etc..) because the PC can't route packets. If someone has done this using scripting, what kind of evidence we would have? where I can find for example that has changed the registry key?
I don't think there is an easy answer for you.
Knowing when the associated registry key was modified would have been helpful but it doesn't store a log, only the most recent modified date and you would have updated that when you changed the gateway back.
You could ask someone to do a thorough analysis of the system to determine if malware is present and, if so, to analyze the malware to determine what it does.
How valuable is the data on this computer? Is it worth investigating or should you just wipe it and start over?
You definitely need to get off of Windows XP and move to Windows 7 or 10 (although 7 will be end of life before too much longer).
I think this answers the question. XP is very insecure and should not be used because its discontinued. Meaning, no more patches for any new malware or exploits and that exposes you to many possible issues.
You definitely need to get off of Windows XP and move to Windows 7 or 10 (although 7 will be end of life before too much longer).
Oww, come on guys … 😯
jaclaz
Have you considered creating a timeline of system activity, in order to see what may have occurred around that time?
Given that the contents of a Registry key were modified, that would make the question a perfect candidate for timeline analysis. By default, Windows XP still updates the last access times on files, so you've got that going for you. Also, remember that you also have access to Registry hive files in the System Restore Points.
Check your logs! It doesn't matter if it was malware, scripting or commands written from the keyboard, if your gateway changed, there should be a log of it.
As for MS operating systems, once they are compromised, most probably the logs are also useless. It doesn't matter much if it is XP or not )