RE: Compromising Packet...

["Dusty Hall" <halljer () auburn edu>]

> > > <bmcdowell () coxhealthplans com> 1/26/2004 2:09:44 PM >>>

> > > You may already know, but tlist and kill are (normally) Resource
Kit
> > > tools.  Not sure how that would have given them a shell (unless
they
> > > aren't really those tools).


I'll definitely take a look at both of those exe's.  The reason I know
they uploaded
those exe's is b/c I have a Snort rule that looks for those exe's.


> > > Also I wonder how they managed to install Serv-U without a shell. 
It
> > > sounds to me like there was a shell on there before snort alerted
you to
> > > it.


Quite possible but its strange it all happened within a few minutes
this morning...


Thanks,


-Dusty


-----Original Message-----
From: snort-users-admin () lists sourceforge net 
[mailto:snort-users-admin () lists sourceforge net]On Behalf Of Dusty
Hall
Sent: Monday, January 26, 2004 11:15 AM
To: snort-users () lists sourceforge net 
Subject: [Snort-users] Compromising Packet...


I'm curious to know if anyone has seen anything like this before.  A
few
packets were sent to port 2502... a few seconds later port 2503 was
opened up with Serv-U installed; tlist.exe and kill.exe were uploaded
and then they had a shell.  After that it looks like "SUB0T" was
setup,
irc channel and pass were captured in other packets.  Its supposedly
an
XP system with current patches.

Any help would be greatly appreciated.

Thanks,


-Dusty




-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users