Security Incidents mailing list archives
RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Wed, 8 May 2002 15:25:32 +0930
Hi,
-----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Wednesday, 8 May 2002 2:56 AM To: Edwards, David (JTS); incidents () securityfocus com Subject: Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com David, What other info can you provide about this? Do you know how this file got on the box? What other services are running? Are there any other files associated with this?
We don't know where it came from at the moment. proxy logs show it started connecting to scorpionsearch etc at 8:57 May 6th CST. [snip]
For example, I assume you found the sites the file was hitting based on IDS or firewall logs...right? What else have you done? Have you checked the filesystem for other new files? What about processes, network connections, etc?
The binary has the sites hard-coded as unicode strings. Apart from netbuie.exe, there was nothing obvious in the process table. We've taken the box off-line and gathering information at the moment. We're also looking at our backups. We've found at least one other file probably associated with it. It's called NBSetup.exe. Company name in the Version information says: MiKrOsOFT. This was found in c:\windows\system (note the box is a Win2k Server, not Win95/8). It was owned by the local administrators group (not domain admin) I'm looking through the firewall logs at the moment. There are some very odd entries there from this machine but I'm not confident that they are related as yet. ciao dave --- Dave Edwards Justice Technology Services Ph: +61 8 82265426 || 0408 808355 mailto: edwards.dave () saugov sa gov au Snail : Justice Technology Division GPO Box 2048, Adelaide 5001 --- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)