Security Incidents mailing list archives
Re: Q328691 ?
From: "Security" <security () mail-arc com>
Date: Fri, 6 Sep 2002 19:37:00 -0400
We've seen lots of compromises on Windows 2K/XP
boxes with evidence of earlier (Mar-May) compreomises.
We have found cmd.exe backdoors at ports 1111:tcp
and 2468:tcp plus lots of xdcc bots. Only one problem:
we don't know how they are getting in. We are pretty
sure it is not the following:
o virus from email or web browsing
o weak passwords
o problems with media player.
o open shares
The only common denominator we found is SMB.
We had large 445:tcp scans around the same time
as the latest compromises. Could it be:
http://online.securityfocus.com/bid/5556
Bob Todd
--------------------------------------------------------
Advanced Research Corporation (r)
http://www-arc.com
----- Original Message -----
From: "Baribault, Gary" <gary () baribault net>
To: "H C" <keydet89 () yahoo com>; "Bronek Kozicki" <brok () rubikon pl>;
<incidents () securityfocus com>
Sent: Friday, September 06, 2002 5:35 PM
Subject: Re: Q328691 ?
Microsoft themselves have admitted that there was a dramatic increase in attacks on Win2K servers .. this is public knowledge .. they have not
given
out all of the details, and this 'could' be using known existing problems, but it did not sound like that from their explanations. They claim that they have .bat files and known Trojans from the
compromised
systems, but that they do not consider the attacks to be a 'worm'. I don't know why you are disputing the increase just because there have been no details revealed yet. The gentleman just said that there was an increase in attacks. Gary B At 02:09 PM 9/6/2002 -0700, H C wrote:Increase in attacks? How so? My idea is this...the alert says absolutely nothing of use. --- Bronek Kozicki <brok () rubikon pl> wrote:There seems to be an increase of attacks on Windows recently:http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691Any ideas? B.---------------------------------------------------------------------------
-
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Do You Yahoo!? Yahoo! Finance - Get real-time stock quotes http://finance.yahoo.com---------------------------------------------------------------------------
-
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Q328691 ?, (continued)
- Re: Q328691 ? H C (Sep 06)
- Re: Q328691 ? Jonathan Rickman (Sep 06)
- Re: Q328691 ? Nick FitzGerald (Sep 09)
- Re: Q328691 ? Baribault, Gary (Sep 06)
- Re: Q328691 ? sunzi (Sep 09)
- Re: Q328691 ? Jonathan Rickman (Sep 06)
- Re: Q328691 ? Joe Blatz (Sep 06)
- Re: Q328691 ? Jon (Sep 09)
- Re: Q328691 ? HggdH (Sep 09)
- Re: Q328691 ? Valdis . Kletnieks (Sep 06)
- RE: Q328691 ? Byrne, David (Sep 09)
- Re: Q328691 ? Security (Sep 09)
- Re: Q328691 ? sunzi (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- Re: Q328691 ? Bernt Lervik (Sep 09)
- RE: Q328691 ? Jason Coombs (Sep 09)
- Re: Q328691 ? Bronek Kozicki (Sep 09)
- Re: Q328691 ? H C (Sep 09)
- Re: SV: Q328691 ? jennifer smith (Sep 09)
- Re: SV: Q328691 ? H C (Sep 09)
- RE: Q328691 ? Byrne, David (Sep 10)
- Re: Q328691 ? Kyle Lai (Sep 11)
- Re: Q328691 ? H C (Sep 06)