Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Trojan of somesort - Update

From: Harlan Carvey <keydet89 () yahoo com>
Date: Fri, 28 May 2004 08:11:20 -0700 (PDT)



From BtB's original post


I am currently doing an investigation into a

compromised system. Before
pulling the plug I netcatted to a suspicous open
port and received the
following banner:

         220 SiGN - FR33-FXP3rs - On Da FUcKiNG

C@S£!!!

- suspicious open port (not normal FTP port for that
system)
- FXP FTP server banner on that port

I don't know of a way to make these happen without
abusing the system from
the inside or compromising it from the outside.


I'd agree, but to be honest, just b/c there's a
suspicious bit of software running on the system,
there's not anything in BtB's original post that
indicates that the system was "hacked".  BtB never
made mention of whether or not he had blank/weak
passwords, or if someone had gotten in by finding a
blank sa password on MS SQL, or by using directory
transversal on IIS.


From that standpoint, there's nothing in BtB's

original post or otherwise that indicates a
"hack"...but yes, you're right...I'm making it a
matter of semantics.  I think it's important to
distinguish...leaving the door open for a kiddie to
compromise your box doesn't necessarily make it a
"hack".
Previous By Date Next
Previous By Thread Next

Current thread: