Security Incidents mailing list archives
Re: FTP and Win2K changed security policy
From: "Don Voss" <voss () albany edu>
Date: Wed, 20 Nov 2002 12:23:01 -0500
I have experienced this .. not exactly the same but I think you should direct your research in this direction. Short version: remote location complains about probes from a unit in my area, sends logs. First look at unit .. virus app off .. attempt to restart .. failed .. close look .. I can "feel" the background tasks running, mouse skitter, video jitter, delays, etc. Pull it off the net .. start to dig. Found various materials .. buried deep was a warez game ftp archive .. + MS IRC material floating in background. I do not think this is one exploit .. nor yours .. I think it plays out like this: automated scan pounding out exploits or email trojan attachment .. regardless .. success posted in lusers IRC area + IRC bots "sharing" the trophy. Next luser comes along and "uses" the trophy, and the next .. Multiple material from multiple lusers. A combo effect from a open door. So it goes. Clean house, re-lock the doors. Watch out for net shares propagation of these trojans. regards, /don On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:
I'm sending this 2nd time because I didn't receive any message neither from moderator or on ML. Hi everyone. Today one of employees on my university asked me to check his machine as he couldn't use Netmeeting anymore for remote desktop sharing . Some people here use Netmeeting to easy control their machines from home (I know I should have banned that before on lower level, but ...). After I couldn't find his machine on our domain (and he was added) I went to his computer and saw that he hasn't got Sophos started at all. Every time I tried to start Sophos it would just hang. Things became interesting at that point (for me, not him :).
[snip] _________________________________________________________ Don Voss v o s s @ a l b a n y . e d u The most human thing we can do is comfort the afflicted and afflict the comfortable. -- Clarence Darrow ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- FTP and Win2K changed security policy Bojan Zdrnja (Nov 19)
- Re: FTP and Win2K changed security policy Don Voss (Nov 21)
- Re: FTP and Win2K changed security policy Johan Augustsson (Nov 22)
- <Possible follow-ups>
- RE: FTP and Win2K changed security policy Joswiak, Johnny G. (Nov 25)