Question on increased scanning/compromise activity

[Herbert Baines III <herbert.baines () OIT GATECH EDU>]

Since 8pm 9/6/2002 we have been experiencing a substantial increase the
number of external scans against GT systems (port 445). The scans are
identifying open Windows fileshares. The background investigation into a
sampling of known compromised systems does not yield forensic information
that shows a conclusive method of compromise.

We have established that there are a number of compromised IRC
Windows-based servers, some of the IRC servers were created after Windows
systems were compromised using the (undefined) filesharing port exploit.

Our decentralized Computer Support Representatives are noticing compromised
systems scanning locally for potential exploits.

Has anyone seen increased in-bound 445 scanning and increased out-bound IRC
activity at their sites?


http://www.theregister.co.uk/content/4/27007.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
http://www.theregus.com/content/4/26226.html
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21061
http://www.theregister.co.uk/content/55/27036.html.

Best regards,

-Herb
Herbert Baines III, CISSP
Director, Georgia Tech Information Security
Georgia Institute of Technology
258 4th Street
Atlanta, GA 30332
http://www.security.gatech.edu/architecture
http://www.security.gatech.edu/policy/usage.html
herbert.baines () oit gatech edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/.