Educause Security Discussion mailing list archives
Re: Fwd: URGENT: bot net with keylogger
From: "Krulewitch, Sean" <krulewit () IU EDU>
Date: Thu, 8 Apr 2004 18:16:02 -0500
On Thursday, April 08, 2004 10:05:09 PM -0400, Kathy Bergsma <kathya () nersp nerdc ufl edu> wrote:
Yesterday, our flow data showed attempts from compromised system to connect to port 8040 on the following addresses. We are still logging attempts to the gatech address today. These systems were all blocked remotely and we block port 8040 locally, but our flow data still logs the attempts. Since et.bestexploiters.com no longer resolves, the intruder must be using a new domain. I'll see if I can learn the new domain from a sniff today. 128.61.164.122 hin-128-61-164-122.hinman.gatech.edu 129.244.129.84 <?>.utulsa.edu 129.244.30.149 <?>.utulsa.edu 203.71.132.210 <?>.ksut.edu.tw On some, but not all systems, we found a file called keylog.txt in c:\windows\system32. We found a rootkit installed in CAROOT on one system. The system had multiple infections and our forensics aren't complete, so we're not sure if it was related to bestexploiters.All compromises on our network were restricted to private IP that is protected with the established option, so my best guess for mode of compromise is that the users visited a malicious website with a vulnerable IE browser. Most of the compromised systems were from Sorority houses. All but one were female. A Google search of bestexploiters produces some (now dead) pornography links. Anyone else have any useful forensics?
From what I have seen so far it looks to be a known variant of
ago/gaobot. There is at least one report[1] in the wild that looks to be a variant of SDBot (at least in name). [1] http://groups.google.com/groups?selm=Hafnium.149ubh%40mail.mcse.ms&oe=UT F-8&output=gplain -Sean -- Sean Krulewitch, Security Engineer IT Security Office, Office of the VP for Information Technology Indiana University For PGP Key or S/MIME cert: https://www.itso.iu.edu/staff/krulewit/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- URGENT: bot net with keylogger REN-ISAC (Apr 05)
- <Possible follow-ups>
- Re: URGENT: bot net with keylogger Doug Pearson (Apr 05)
- Re: Fwd: URGENT: bot net with keylogger Doug Pearson (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger T. Charles Yun (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Krulewitch, Sean (Apr 08)
- Re: Fwd: URGENT: bot net with keylogger Kathy Bergsma (Apr 09)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Dave Monnier, IT Security Office, Indiana University (Apr 12)
- Re: Fwd: URGENT: bot net with keylogger Gary Flynn (Apr 12)
(Thread continues...)