Security Incidents mailing list archives

Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: H C <keydet89 () yahoo com>
Date: Tue, 7 May 2002 10:25:35 -0700 (PDT)

David, 

What other info can you provide about this?  Do you
know how this file got on the box?  What other
services are running?  Are there any other files
associated with this?

I ask b/c I teach an incident response course for 2K,
and I'm always interested in seeing actual
compromises...it helps me tailor my approach and
recommendations.  

For example, I assume you found the sites the file was
hitting based on IDS or firewall logs...right?  What
else have you done?  Have you checked the filesystem
for other new files?  What about processes, network
connections, etc?

I'd also like to ask that if it isn't too much
trouble, could you zip up and send me a copy of that
file, and any other files associated with it?  I'd
like to take a look at it.

Thanks.

--- "Edwards, David  (JTS)"
<Edwards.Dave () saugov sa gov au> wrote:

Hi,

We've just found some instances of "netbuie.exe"
running in some terminal
server sessions here.  The file was written to the
Winnt\system32 directory
about 6:00pm on Sunday and registry entries made in:

HKLM/Software\Microsoft\windows\current version\run
HKLM/Software\Microsoft\windows\run

It seems to be a Vb 5 PE that hits on two web sites,
scorpionsearch.com and
fastcounter.bcentral.com when run.  Possibly just
generating revenue for
some bod somewhere.

Looks like the server wasn't fully patched, hfnetchk
showed 6 Win2k Server
patches missing and 2 IE6.

This sounded familiar (when I first saw it) but I
haven't been able to find
any other references so I thought I'd make one :-)  
The worry is (of
course) that the server is further compromised. 
Anyone seen this before?

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.dave () saugov sa gov au
Snail : Justice Technology Services 
        GPO Box 2048, Adelaide 5001
---

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
  - Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)