Educause Security Discussion mailing list archives

Re: Recent Gaobot event

From: Barbara Tibbs <barbara.tibbs () HAMPTONU EDU>
Date: Fri, 24 Dec 2004 17:54:38 -0500

Would you please pass it on to the whole list

Thanks

 

Barbara Tibbs

Hampton University

757-728-6736

barbara.tibbs () hamptonu edu

 

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Michael Horne
Sent: Tuesday, December 21, 2004 10:48 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recent Gaobot event

 

Would you be so kind to send it to me as well.

Thanks in advance and Happy Holidays!

 

Mike

 

________________________________

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Joseph Vieira
Sent: Tuesday, December 21, 2004 9:40 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Recent Gaobot event

Would you mind sending it to me as well? 

Joe Vieira                   
Desktop Security Analyst    
Information Technology Services 
Clark University              
(508)-793-7287 

 

-----Original Message----- 
From: Gibbs, Aaron M. [mailto:AMGibbs () ST-AUG EDU] 
Sent: Monday, December 20, 2004 4:55 PM 
Subject: Re: Recent Gaobot event 

I would like it as well. 

Aaron M Gibbs 
Director 
Networking and Telecommunications 
St. Augustine's College 
Center for Information Technology 
919-516-4237 (Office) 
919-516-4382 (Fax) 
amgibbs () st-aug edu 
www.st-aug.edu 

 

-----Original Message----- 
From: The EDUCAUSE Security Discussion Group Listserv 
[mailto:SECURITY () LISTSERV EDUCAUSE EDU]On Behalf Of Mark Wilson 
Sent: Thursday, December 16, 2004 3:39 PM 
To: SECURITY () LISTSERV EDUCAUSE EDU 
Subject: Re: [SECURITY] Recent Gaobot event 

 

Gary, 
I would like the snort sig as well. 

Mark Wilson 
GCIA, CISSP #53153 
Network Security Specialist 
Auburn University 
(334) 844-9347

dobbins () ND EDU 12/16/2004 11:08:23 AM >>>

If anyone would like the SNORT sig we're using to sense 'bots phoning 
home 
for control instructions, just drop me a line.  Am not sure posting it 
here 
would be wise - too many lurkers who might like to subtly alter this 
overused variant to counter the sig. 

When this triggers an alert on your SNORT, the bot is just waking up 
and 
still benign (relatively speaking) and can be removed before the 
'owner' 
wakes them up and uses them to do harm. 

 

H. Morrow Long wrote:

Gordon -- Yes, we saw this, but it was for approx. the 
two weeks prior to last week. A number of PCs 
were hit with it and they began attempting to brute 
force the passwords for (all of ?) the accounts in our 
Active Directory. 

We'd just implemented a domain account lockdown 
policy -- a short lockdown period -- after a somewhat 
high number of unsuccessful login attempts 
so we began to see the effects of the new lockdown 
policy kick into effect rather quickly (some users 
reported their accounts would lock out for the 
lockdown period). 

The infected PCs would show up in the security 
event log of other computers and the active directory 
servers with high numbers of unsuccessful login 
attempts on various accounts. 

- H. Morrow Long, CISSP, CISM 
University Information Security Officer 
Director -- Information Security Office 
Yale University, ITS 


On Dec 16, 2004, at 7:26 AM, Gordon D. Wishon wrote: 

    Is anyone else seeing any evidence of this on their campus?

Like

    Boston College, we've been hit with this within the past two

weeks,

    and at one point the traffic generated by machines attempting to 
    phone home seriously affected our network performance. 



    Virus Steals Student Passwords: Boston College's campus network

was

    hit by a virus that forced computers to guess at passwords that 
    would provide access to other linked machines. 
    /The Heights/ 


    Curiously, we've found little discussion of this elsewhere. 

    Gordon 

    ********** Participation and subscription information for this 
    EDUCAUSE Discussion Group discussion list can be found at 
    http://www.educause.edu/groups/.


-- 

   ------------------------------------------------------------ 
   Gary Dobbins, CISSP -- Director, Information Security 
   University of Notre Dame, Office of Information Technologies 

********** 
Participation and subscription information for this EDUCAUSE Discussion 
Group discussion list can be found at http://www.educause.edu/groups/. 

********** 
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

********** 
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Re: Recent Gaobot event, (continued)
- Re: Recent Gaobot event Mike Peterson (Dec 16)
- Re: Recent Gaobot event Jim Pollard (Dec 16)
- Re: Recent Gaobot event Dave Monnier, IT Security Office, Indiana University (Dec 16)
- Re: Recent Gaobot event Mark Wilson (Dec 16)
- Re: Recent Gaobot event David Escalante (Dec 16)
- Re: Recent Gaobot event Gibbs, Aaron M. (Dec 20)
- Re: Recent Gaobot event Joseph Vieira (Dec 21)
- Re: Recent Gaobot event Michael Horne (Dec 21)
- Re: Recent Gaobot event Robert Johnson (Dec 21)
- Re: Recent Gaobot event Penn, Blake (Dec 22)
- Re: Recent Gaobot event Barbara Tibbs (Dec 24)
- Re: Recent Gaobot event Gary Dobbins (Dec 24)
- Re: Recent Gaobot event Ron Watts (Dec 30)