Educause Security Discussion mailing list archives
Re: Domain Controller Attacks
From: Wayne Bullock <wayne () FAU EDU>
Date: Fri, 14 Oct 2005 17:08:17 -0400
Yup, the "220 Reptile is ready to serve" appears to be our most common problem by far. There appears to be one other similar ftp server variant as well. We have put some router access-lists in that help and I've asked that the servers be moved to a more secure subnet. This will likely occur early next week. Additionally, we're pulling infected machines of the network as they appear. On the Active Directory Domain Controller server side, Windows NT support is no longer a big issue but SAMBA support is, which appears to be a related issue. So, some of the Windows security things they'd like to, they can't without disrupting those folks. I really appreciate everyone's help, --Wayne Wayne Bullock Associate Director, Network Services Florida Atlantic University -----Original Message----- From: Wayne J. Hauber [mailto:wjhauber () IASTATE EDU] Sent: Friday, October 14, 2005 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Domain Controller Attacks At 10:38 AM 10/14/2005, Dave Monnier, IT Security Office, Indiana University wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wayne Bullock wrote:Working with Security they believe thinks it's some type of virus
that
appears to be going around on student's machines. Is anyone else
seeing
this?This is fairly common. Some code tries to exploit other code, other
code
tries to exploit poor passwords. Could be most anything.
We had all of our schools AD domain controllers under attack this week. It may not be your attacker. Ours was a password attack like yours, though. We found four systems running some sort of bot. They also had an ftp server with the banner "220 Reptile is ready to serve". We found a couple of command and control systems that we've blocked. At least at our school, we are seeing a bots in a common botnet.
Cheers, - -Dave - -- | Dave Monnier - dmonnier () iu edu - http://mypage.iu.edu/~dmonnier/ | | Lead Security Engineer, Information Technology Security Office | | Office of the VP for Information Technology, Indiana University | -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDT9ELBIf6jlONJjIRArTgAJ9/zTHdBdbDBKeC4A09uK2V9BOO7wCgjHyA Ts8g0Z9WSMo/b8vQkK0Rq+E= =Ri16 -----END PGP SIGNATURE-----
Wayne Hauber (515) 294-9890 Information Technology Services IT Security and Policies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu
Current thread:
- Re: Domain Controller Attacks, (continued)
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)