Security Incidents mailing list archives

RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Wed, 8 May 2002 12:20:01 +0930

Hi,

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk]
Sent: Wednesday, 8 May 2002 10:49 AM
To: incidents () securityfocus com
Cc: Edwards, David (JTS)
Subject: Re: netbuie.exe, scorpionsearch.com and
fastcounter.bcentral.com

"Edwards, David  (JTS)" <Edwards.Dave () saugov sa gov au> wrote:

We've just found some instances of "netbuie.exe" running in 
some terminal server sessions here.  The file was written to the 
Winnt\system32 directory about 6:00pm on Sunday and registry 
entries made in:

HKLM/Software\Microsoft\windows\current version\run
HKLM/Software\Microsoft\windows\run


First, why do non-admin users even have write access to these keys?

If they don't, you clearly need to revise your site's judgments about 
who is worthy of having admin (equivalent) passwords.


Hmmm, who rattled your chain..  Are you saying that the
only way this incident could have happened is if one of 
our administrators stuffed up?

And no, domain users do not have write access to those keys.

This sounded familiar (when I first saw it) but I haven't 
been able to find any other references so I thought I'd 
make one :-)   The worry is (of course) that the server 
is further compromised.  Anyone seen this before?


Can't help you on the likely entry point, but given that non-admin 
users can change crucial registry key contents or that some of your 
admins are incompetent, I'm not sure that compromise via open 
security vulnerabilities is the most obvious path of entry...


<Step back, let that one through to the keeper>

[snip]

Thanks for your "constructive" comments.  

However, it's too early to tell if it's a virus.  
There is no indication that it's spreading on our network.

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.dave () saugov sa gov au
Snail : Justice Technology Division 
        GPO Box 2048, Adelaide 5001
---




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
  - Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)