Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

["Rainer Duffner" <rainer () ultra-secure de>]

Edwards, David  (JTS) writes: 

> Hi, 
>
> We've just found some instances of "netbuie.exe" running in some terminal
> server sessions here.  The file was written to the Winnt\system32 

[snip] 

> Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k 
> Server patches missing and 2 IE6.
> This sounded familiar (when I first saw it) but I haven't been able to 
> find any other references so I thought I'd make one :-)   The worry is 
> (of course) that the server is further compromised.  Anyone seen this 
> before?

No, but if one of the missing patches was the one against the "DebPloit",
then the person could really have done "anything".
And thus it is, as always, best to reload the OS. 


Does system32 still have full control for everybody ?
Or was the file written by an administrator ? 



cheers,
Rainer 


--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rainer Duffner                   Munich
rainer () ultra-secure de          Germany
http://www.i-duffner.de        Freising
========================================
   When shall we three meet again
 In thunder, lightning, or in rain?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com