Re: Domain Controller Attacks

["Wayne J. Hauber" <wjhauber () IASTATE EDU>]

At 10:38 AM 10/14/2005, Dave Monnier, IT Security Office, Indiana
University wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Wayne Bullock wrote:
> > Working with Security they believe thinks it's some type of virus that
> > appears to be going around on student's machines. Is anyone else seeing
> > this?
>
> This is fairly common. Some code tries to exploit other code, other code
> tries to exploit poor passwords.  Could be most anything.

We had all of our schools AD domain controllers under attack this
week. It may not be your attacker. Ours was a password attack like
yours, though. We found four systems running some sort of bot. They
also had an ftp server with the banner "220 Reptile is ready to
serve". We found a couple of command and control systems that we've
blocked. At least at our school, we are seeing a bots in a common botnet.


> Cheers,
> - -Dave
>
> - --
>
> | Dave Monnier - dmonnier () iu edu - http://mypage.iu.edu/~dmonnier/ |
> |  Lead Security Engineer, Information Technology Security Office  |
> |  Office of the VP for Information Technology, Indiana University |
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
>
> iD8DBQFDT9ELBIf6jlONJjIRArTgAJ9/zTHdBdbDBKeC4A09uK2V9BOO7wCgjHyA
> Ts8g0Z9WSMo/b8vQkK0Rq+E=
> =Ri16
> -----END PGP SIGNATURE-----


Wayne Hauber (515) 294-9890
Information Technology Services
IT Security and Policies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu