Apparently someone from "The Computer Guy" IP range (or someone acting
as someone from there) got rcp.exe to run on my machine, attempting to
contact 216.30.236.32 port 514. I detected this with ZoneAlarm.


The reason I'm posting here is because I've just installed JBoss and
MySQL on my machine, and until this point, I have never had this type
of attack before. It happened right around the time I accessed the
JBoss JMX console for the first time from over the Internet (I accessed
my home PC from work). I have a non-static IP, so I'm running the
No-IP DUC I can find my machine on the Internet.


Could someone wager a guess as to what happened at 8:42 this morning?
What was attempted? How was it done? I password protected my JBoss
JMX and Management consoles, but of course it's only with basic
authentication, which is really nothing if someone wants to snoop. Is
there something in one of the interfaces that get installed with JBoss
that would allow for someone to start a remote copy?


Thanks.


--Dale--


-----------DETAILS--------------


Description TCP/IP Remote Copy Command requested permission to
access the internet.
Rating High
Date / Time 2005/04/01 08:42:04-5:00 GMT
Type New Program
Program C:\WINDOWS\system32\rcp.exe
Source IP
Destination IP 216.30.236.36:514
Direction Outgoing (connect)
Action Taken Blocked (once)/Manual
Count 1


CustName: The Computer Guy
Address: 5306 McCorkle Ave
City: Charleston
StateProv: WV
PostalCode: 25302
Country: US
RegDate: 2004-06-23
Updated: 2004-06-23


NetRange: 216.30.236.32 - 216.30.236.39
CIDR: 216.30.236.32/29
NetName: CUST-THECOMPUTERGUY-216-NET1
NetHandle: NET-216-30-236-32-1
Parent: NET-216-30-192-0-1
NetType: Reassigned
Comment:
RegDate: 2004-06-23
Updated: 2004-06-23


OrgTechHandle: FIA2-ARIN
OrgTechName: FiberNet IP Administrator
OrgTechPhone: +1-304-720-0200
OrgTechEmail: ipadmin@wvfibernet.net