Security Incidents mailing list archives
RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Wed, 8 May 2002 12:20:01 +0930
Hi,
-----Original Message----- From: Nick FitzGerald [mailto:nick () virus-l demon co uk] Sent: Wednesday, 8 May 2002 10:49 AM To: incidents () securityfocus com Cc: Edwards, David (JTS) Subject: Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au> wrote:We've just found some instances of "netbuie.exe" running in some terminal server sessions here. The file was written to the Winnt\system32 directory about 6:00pm on Sunday and registry entries made in: HKLM/Software\Microsoft\windows\current version\run HKLM/Software\Microsoft\windows\runFirst, why do non-admin users even have write access to these keys? If they don't, you clearly need to revise your site's judgments about who is worthy of having admin (equivalent) passwords.
Hmmm, who rattled your chain.. Are you saying that the only way this incident could have happened is if one of our administrators stuffed up? And no, domain users do not have write access to those keys.
This sounded familiar (when I first saw it) but I haven't been able to find any other references so I thought I'd make one :-) The worry is (of course) that the server is further compromised. Anyone seen this before?Can't help you on the likely entry point, but given that non-admin users can change crucial registry key contents or that some of your admins are incompetent, I'm not sure that compromise via open security vulnerabilities is the most obvious path of entry...
<Step back, let that one through to the keeper> [snip] Thanks for your "constructive" comments. However, it's too early to tell if it's a virus. There is no indication that it's spreading on our network. ciao dave --- Dave Edwards Justice Technology Services Ph: +61 8 82265426 || 0408 808355 mailto: edwards.dave () saugov sa gov au Snail : Justice Technology Division GPO Box 2048, Adelaide 5001 --- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)