Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Pubstro rash

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Fri, 18 Mar 2005 11:33:48 +1300
David Gillett wrote:


  Further detail:  I'm being told that all of the compromised
workstations are running 2KPro or NTW.  So that suggests that
the attackers are getting in through a hole that is fixed in
XP or its service packs.


Or poor password policies...

Most pubstros I've seen succeed do so with just password guessing (and 
relatively trivial guessing at that) -- not that they don't have other 
methods, just that pwd guessing gets them plenty of victims.  Are these 
machines visible to the world for any kind of standard NT 
authentication connections?  If so, start with the simplest (and 
probably most likely), which is user slackness (blank, "admin", 
"guest", "pass", "aaaaa", "qwerty", "12345", etc passwords).

Vulns common to NT and 2K but not XP would be fairly rare (other than 
in non-XPSP2 IE 6??), unless you have very limited patch control over 
non-XP machines but good control of XP patching.


Regards,

Nick FitzGerald
Previous By Date Next
Previous By Thread Next

Current thread: