Educause Security Discussion mailing list archives
Question on increased scanning/compromise activity
From: Herbert Baines III <herbert.baines () OIT GATECH EDU>
Date: Wed, 11 Sep 2002 10:46:48 -0400
Since 8pm 9/6/2002 we have been experiencing a substantial increase the number of external scans against GT systems (port 445). The scans are identifying open Windows fileshares. The background investigation into a sampling of known compromised systems does not yield forensic information that shows a conclusive method of compromise. We have established that there are a number of compromised IRC Windows-based servers, some of the IRC servers were created after Windows systems were compromised using the (undefined) filesharing port exploit. Our decentralized Computer Support Representatives are noticing compromised systems scanning locally for potential exploits. Has anyone seen increased in-bound 445 scanning and increased out-bound IRC activity at their sites? http://www.theregister.co.uk/content/4/27007.html http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 http://www.theregus.com/content/4/26226.html http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21061 http://www.theregister.co.uk/content/55/27036.html. Best regards, -Herb Herbert Baines III, CISSP Director, Georgia Tech Information Security Georgia Institute of Technology 258 4th Street Atlanta, GA 30332 http://www.security.gatech.edu/architecture http://www.security.gatech.edu/policy/usage.html herbert.baines () oit gatech edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/.
Current thread:
- Question on increased scanning/compromise activity Herbert Baines III (Sep 11)
- <Possible follow-ups>
- Re: Question on increased scanning/compromise activity Alex Campoe (Sep 11)