Security Incidents mailing list archives
RE: Pubstro rash
From: "Alexandre Skyrme" <alexandre.skyrme () ciphersec com br>
Date: Thu, 17 Mar 2005 18:57:18 -0300
Greetings David, Just a thought about your third comment... As far as I'm concerned DNS just uses 53/TCP to do zone transfers. In case your workstations are on a different network than your DNS servers it should probably be safe to block incoming TCP connections to that network on such port. Tipically zone transfers would only be used by secondary servers to update their own zones from its primary server. Regards, -- Alexandre Skyrme Cipher - Segurança da Informação +55-21-2542-6677 www.ciphersec.com.br Esta mensagem eletrônica pode conter informações privilegiadas e/ou confidenciais, portanto fica o seu receptor notificado de que qualquer disseminação, distribuição ou cópia não autorizada é estritamente proibida. Se você recebeu esta mensagem indevidamente ou por engano, por favor, informe este fato ao remetente e a apague de seu computador imediatamente. This e-mail message may contain legally privileged and/or confidential information, therefore, the recipient is hereby notified that any unauthorized dissemination, distribution or copying is strictly prohibited. If you have received this e-mail message inappropriately or accidentally, please notify the sender and delete it from your computer immediately. -----Original Message----- From: David Gillett [mailto:gillettdavid () fhda edu] Sent: quarta-feira, 16 de março de 2005 22:59 To: incidents () securityfocus com Subject: Pubstro rash A few times in the past, someone has managed to break into one or another of our servers and set up an FTP server ("pubstro") on an unused high port. I'm facing something similar at the moment, but there are some distinct differences: 1. The compromised hosts are workstations, not servers. I'm hoping our field techs will be able to identify a common OS/SP level amongst the compromised machines. No servers appear to be affected. 2. There have been 14 of them in less than 5 days. OUCH. 3. Instead of a random high port, the installed FTP server listens on port 53. Which I can't block, because DNS may need to use it, right? 4. The FTP banners all claim to be the work of "Droppunx". 5. At this point, I don't know how the machines are getting compromised initially. I'd appreciate if anyone else is seeing this pattern and has some insight they'd care to share. David Gillett
Current thread:
- strange software > winsupdater.exe SDA (Mar 15)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Re: strange software > winsupdater.exe Jeremy Anderson (Mar 17)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 28)
- Re: strange software > winsupdater.exe Paul Laudanski (Mar 28)
- Re: strange software > winsupdater.exe Justin (Mar 16)
- Pubstro rash David Gillett (Mar 17)
- Re: Pubstro rash Mark Coleman (Mar 17)
- RE: Pubstro rash Steve Drees (Mar 17)
- RE: Pubstro rash Alexandre Skyrme (Mar 17)
- Re: Pubstro rash Jeff Kell (Mar 18)
- RE: Pubstro rash David Gillett (Mar 18)
- Re: strange software > winsupdater.exe Nick FitzGerald (Mar 16)
- <Possible follow-ups>
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- RE: strange software > winsupdater.exe Harlan Carvey (Mar 16)
- Re: strange software > winsupdater.exe dave_mikesch (Mar 16)
- RE: strange software > winsupdater.exe Jim Harrison (ISA) (Mar 16)
- Re: strange software > winsupdater.exe Harlan Carvey (Mar 17)
- Re: strange software > winsupdater.exe Valdis . Kletnieks (Mar 17)