Security Incidents mailing list archives
Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: H C <keydet89 () yahoo com>
Date: Tue, 7 May 2002 10:25:35 -0700 (PDT)
David, What other info can you provide about this? Do you know how this file got on the box? What other services are running? Are there any other files associated with this? I ask b/c I teach an incident response course for 2K, and I'm always interested in seeing actual compromises...it helps me tailor my approach and recommendations. For example, I assume you found the sites the file was hitting based on IDS or firewall logs...right? What else have you done? Have you checked the filesystem for other new files? What about processes, network connections, etc? I'd also like to ask that if it isn't too much trouble, could you zip up and send me a copy of that file, and any other files associated with it? I'd like to take a look at it. Thanks. --- "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au> wrote:
Hi, We've just found some instances of "netbuie.exe" running in some terminal server sessions here. The file was written to the Winnt\system32 directory about 6:00pm on Sunday and registry entries made in: HKLM/Software\Microsoft\windows\current version\run HKLM/Software\Microsoft\windows\run It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and fastcounter.bcentral.com when run. Possibly just generating revenue for some bod somewhere. Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server patches missing and 2 IE6. This sounded familiar (when I first saw it) but I haven't been able to find any other references so I thought I'd make one :-) The worry is (of course) that the server is further compromised. Anyone seen this before? ciao dave --- Dave Edwards Justice Technology Services Ph: +61 8 82265426 || 0408 808355 mailto: edwards.dave () saugov sa gov au Snail : Justice Technology Services GPO Box 2048, Adelaide 5001 ---
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)