Security Incidents mailing list archives

Re: FTP and Win2K changed security policy

From: "Don Voss" <voss () albany edu>
Date: Wed, 20 Nov 2002 12:23:01 -0500

I have experienced this .. not exactly the same but I think you should 
direct your research in this direction.

Short version: 

remote location complains about probes from a unit in my area, sends 
logs.

First look at unit .. virus app off .. attempt to restart .. failed .. 
close look .. I can "feel" the background tasks running, mouse skitter, 
video jitter, delays, etc.

Pull it off the net .. start to dig. Found various materials .. buried 
deep was a warez game ftp archive .. 

+ MS IRC material floating in background.

I do not think this is one exploit .. nor yours .. I think it plays out 
like this:

automated scan pounding out exploits or email trojan attachment .. 
regardless .. success posted in lusers IRC area + IRC bots "sharing" the 
trophy. Next luser comes along and "uses" the trophy, and the next .. 

Multiple material from multiple lusers. A combo effect from a open door.

So it goes. Clean house, re-lock the doors. Watch out for net shares 
propagation of these trojans.

regards,
/don



On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:

I'm sending this 2nd time because I didn't receive any message neither
from moderator or on ML.

Hi everyone.

Today one of employees on my university asked me to check his machine as
he couldn't use Netmeeting anymore for remote desktop sharing . Some
people here use Netmeeting to easy control their machines from home (I
know I should have banned that before on lower level, but ...). After I
couldn't find his machine on our domain (and he was added) I went to his
computer and saw that he hasn't got Sophos started at all. Every time I
tried to start Sophos it would just hang. Things became interesting at
that point (for me, not him :).


[snip]

_________________________________________________________
Don Voss                v o s s @ a l b a n y . e d u

The most human thing we can do is comfort the afflicted
and afflict the comfortable.  -- Clarence Darrow



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

FTP and Win2K changed security policy Bojan Zdrnja (Nov 19)
- Re: FTP and Win2K changed security policy Don Voss (Nov 21)
- Re: FTP and Win2K changed security policy Johan Augustsson (Nov 22)
- <Possible follow-ups>
- RE: FTP and Win2K changed security policy Joswiak, Johnny G. (Nov 25)