Security Incidents mailing list archives
RE : Pubstro rash
From: Bourque Daniel <Daniel.Bourque () loto-quebec com>
Date: Thu, 17 Mar 2005 16:37:55 -0500
Yes you can block TCP/UDP 53 for all except your real DNS server. Nobody need DNS/SMTP access from Inside to Outside your firewall. You just have to open it for your dedicated server. -----Message d'origine----- De : David Gillett [mailto:gillettdavid () fhda edu] Envoyé : 17 mars, 2005 15:35 À : incidents () securityfocus com Objet : RE: Pubstro rash Further detail: I'm being told that all of the compromised workstations are running 2KPro or NTW. So that suggests that the attackers are getting in through a hole that is fixed in XP or its service packs.
-----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: Wednesday, March 16, 2005 5:59 PM To: 'incidents () securityfocus com' Subject: Pubstro rash A few times in the past, someone has managed to break into one or another of our servers and set up an FTP server ("pubstro") on an unused high port. I'm facing something similar at the moment, but there are some distinct differences: 1. The compromised hosts are workstations, not servers. I'm hoping our field techs will be able to identify a common OS/SP level amongst the compromised machines. No servers appear to be affected. 2. There have been 14 of them in less than 5 days. OUCH. 3. Instead of a random high port, the installed FTP server listens on port 53. Which I can't block, because DNS may need to use it, right? 4. The FTP banners all claim to be the work of "Droppunx". 5. At this point, I don't know how the machines are getting compromised initially. I'd appreciate if anyone else is seeing this pattern and has some insight they'd care to share. David Gillett
Current thread:
- RE : Pubstro rash Bourque Daniel (Mar 17)