Educause Security Discussion mailing list archives

Re: Domain Controller Attacks

From: Wayne Bullock <wayne () FAU EDU>
Date: Fri, 14 Oct 2005 17:08:17 -0400

Yup, the "220 Reptile is ready to serve" appears to be our most common
problem by far. There appears to be one other similar ftp server variant
as well. 

We have put some router access-lists in that help and I've asked that
the servers be moved to a more secure subnet. This will likely occur
early next week. Additionally, we're pulling infected machines of the
network as they appear.

On the Active Directory Domain Controller server side, Windows NT
support is no longer a big issue but SAMBA support is, which appears to
be a related issue. So, some of the Windows security things they'd like
to, they can't without disrupting those folks. 

I really appreciate everyone's help,

        --Wayne

Wayne Bullock
Associate Director, Network Services
Florida Atlantic University
 

-----Original Message-----
From: Wayne J. Hauber [mailto:wjhauber () IASTATE EDU] 
Sent: Friday, October 14, 2005 11:50 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Domain Controller Attacks

At 10:38 AM 10/14/2005, Dave Monnier, IT Security Office, Indiana 
University wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Wayne Bullock wrote:

Working with Security they believe thinks it's some type of virus

that

appears to be going around on student's machines. Is anyone else

seeing

this?


This is fairly common. Some code tries to exploit other code, other

code

tries to exploit poor passwords.  Could be most anything.


We had all of our schools AD domain controllers under attack this 
week. It may not be your attacker. Ours was a password attack like 
yours, though. We found four systems running some sort of bot. They 
also had an ftp server with the banner "220 Reptile is ready to 
serve". We found a couple of command and control systems that we've 
blocked. At least at our school, we are seeing a bots in a common
botnet.

Cheers,
- -Dave

- --

| Dave Monnier - dmonnier () iu edu - http://mypage.iu.edu/~dmonnier/ |
|  Lead Security Engineer, Information Technology Security Office  |
|  Office of the VP for Information Technology, Indiana University |

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDT9ELBIf6jlONJjIRArTgAJ9/zTHdBdbDBKeC4A09uK2V9BOO7wCgjHyA
Ts8g0Z9WSMo/b8vQkK0Rq+E=
=Ri16
-----END PGP SIGNATURE-----



Wayne Hauber (515) 294-9890
Information Technology Services
IT Security and Policies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

Current thread:

Re: Domain Controller Attacks, (continued)
- Re: Domain Controller Attacks Dave Monnier, IT Security Office, Indiana University (Oct 14)
- Re: Domain Controller Attacks Hoffman, Michael (Oct 14)
- Re: Domain Controller Attacks Beechey, Jim (Oct 14)
- Re: Domain Controller Attacks H. Morrow Long (Oct 14)
- Re: Domain Controller Attacks Wayne J. Hauber (Oct 14)
- Re: Domain Controller Attacks David Taylor (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Bowden, Zeb (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)
- Re: Domain Controller Attacks Jeff Kell (Oct 14)
- Re: Domain Controller Attacks Wayne Bullock (Oct 14)