Educause Security Discussion mailing list archives
Re: Recent Gaobot event
From: Robert Johnson <robert.johnson () WMICH EDU>
Date: Tue, 21 Dec 2004 11:06:38 -0500
** High Priority ** I would like a copy of that as well if you don't mind.. <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> Robert L. Johnson Security Administrator v-mail: 269.387.4093 Office Of Information Technology fax: 269.387.5473 Western Michigan University e-mail: robert.johnson () wmich edu Kalamazoo, MI 49008-5206 web: www.wmich.edu/oit IMPORTANT: The contents of this electronic mail communication is privileged information. It is intended solely for the addressees listed. Any use of this communication, other then its designated purpose, is prohibited. If you have received this communication and you are not an addressee, please delete the message. Notify robert.johnson () wmich edu that you have received this electronic mail message in error, and that you have deleted it from your file folder(s).
jvieira () CLARKU EDU 12/21/2004 9:39:46 AM >>>
Would you mind sending it to me as well? Joe Vieira Desktop Security Analyst Information Technology Services Clark University (508)-793-7287 -----Original Message----- From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU] Sent: Monday, December 20, 2004 4:55 PM Subject: Re: Recent Gaobot event I would like it as well. Aaron M Gibbs Director Networking and Telecommunications St. Augustine's College Center for Information Technology 919-516-4237 (Office) 919-516-4382 (Fax) amgibbs () st-aug edu www.st-aug.edu -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Wilson Sent: Thursday, December 16, 2004 3:39 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Recent Gaobot event Gary, I would like the snort sig as well. Mark Wilson GCIA, CISSP #53153 Network Security Specialist Auburn University (334) 844-9347
dobbins () ND EDU 12/16/2004 11:08:23 AM >>>
If anyone would like the SNORT sig we're using to sense 'bots phoning home for control instructions, just drop me a line. Am not sure posting it here would be wise - too many lurkers who might like to subtly alter this overused variant to counter the sig. When this triggers an alert on your SNORT, the bot is just waking up and still benign (relatively speaking) and can be removed before the 'owner' wakes them up and uses them to do harm. H. Morrow Long wrote:
Gordon -- Yes, we saw this, but it was for approx. the
two weeks prior to last week. A number of PCs
were hit with it and they began attempting to brute
force the passwords for (all of ?) the accounts in our
Active Directory.
We'd just implemented a domain account lockdown
policy -- a short lockdown period -- after a somewhat
high number of unsuccessful login attempts
so we began to see the effects of the new lockdown
policy kick into effect rather quickly (some users
reported their accounts would lock out for the
lockdown period).
The infected PCs would show up in the security
event log of other computers and the active directory
servers with high numbers of unsuccessful login
attempts on various accounts.
- H. Morrow Long, CISSP, CISM
University Information Security Officer
Director -- Information Security Office
Yale University, ITS
On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote:
Is anyone else seeing any evidence of this on their campus?
Like
Boston College, we've been hit with this within the past two
weeks,
and at one point the traffic generated by machines attempting
to
phone home seriously affected our network performance.
Virus Steals Student Passwords: Boston College's campus
network was
hit by a virus that forced computers to guess at passwords
that
would provide access to other linked machines.
/The Heights/
Curiously, we've found little discussion of this elsewhere.
Gordon
********** Participation and subscription information for
this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
-- ------------------------------------------------------------ Gary Dobbins, CISSP -- Director, Information Security University of Notre Dame, Office of Information Technologies ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Re: Recent Gaobot event, (continued)
- Re: Recent Gaobot event Gordon D. Wishon (Dec 16)
- Re: Recent Gaobot event Gary Dobbins (Dec 16)
- Re: Recent Gaobot event Mike Peterson (Dec 16)
- Re: Recent Gaobot event Jim Pollard (Dec 16)
- Re: Recent Gaobot event Dave Monnier, IT Security Office, Indiana University (Dec 16)
- Re: Recent Gaobot event Mark Wilson (Dec 16)
- Re: Recent Gaobot event David Escalante (Dec 16)
- Re: Recent Gaobot event Gibbs, Aaron M. (Dec 20)
- Re: Recent Gaobot event Joseph Vieira (Dec 21)
- Re: Recent Gaobot event Michael Horne (Dec 21)
- Re: Recent Gaobot event Robert Johnson (Dec 21)
- Re: Recent Gaobot event Penn, Blake (Dec 22)
- Re: Recent Gaobot event Barbara Tibbs (Dec 24)
- Re: Recent Gaobot event Gary Dobbins (Dec 24)
- Re: Recent Gaobot event Ron Watts (Dec 30)