Snort mailing list archives
RE: Compromising Packet...
From: "Dusty Hall" <halljer () auburn edu>
Date: Mon, 26 Jan 2004 14:56:24 -0600
<bmcdowell () coxhealthplans com> 1/26/2004 2:09:44 PM >>>
You may already know, but tlist and kill are (normally) Resource
Kit
tools. Not sure how that would have given them a shell (unless
they
aren't really those tools).
I'll definitely take a look at both of those exe's. The reason I know they uploaded those exe's is b/c I have a Snort rule that looks for those exe's.
Also I wonder how they managed to install Serv-U without a shell.
It
sounds to me like there was a shell on there before snort alerted
you to
it.
Quite possible but its strange it all happened within a few minutes this morning... Thanks, -Dusty -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net]On Behalf Of Dusty Hall Sent: Monday, January 26, 2004 11:15 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Compromising Packet... I'm curious to know if anyone has seen anything like this before. A few packets were sent to port 2502... a few seconds later port 2503 was opened up with Serv-U installed; tlist.exe and kill.exe were uploaded and then they had a shell. After that it looks like "SUB0T" was setup, irc channel and pass were captured in other packets. Its supposedly an XP system with current patches. Any help would be greatly appreciated. Thanks, -Dusty ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Compromising Packet... Dusty Hall (Jan 26)
- <Possible follow-ups>
- Compromising Packet... Dusty Hall (Jan 26)
- RE: Compromising Packet... Dusty Hall (Jan 26)