Hello Wednesday, January 30, 2002, 12:23:51 AM, you wrote: > A port scan of one of the infected hosts shows: > 7 Echo > 9 Discard > 13 Daytime > 17 Quote of the Day > 19 Character Generator > 21 File Transfer Protocol [Control] > 25 Simple Mail Transfer > 80 World Wide Web HTTP > 135 DCE endpoint resolution > 139 NETBIOS Session Service > 443 https MCom > 445 Microsoft-DS > 548 AFP over TCP > 1025 network blackjack > 1026 > 1027 ICQ? > 1433 Microsoft-SQL-Server > 5631 pcANYWHEREdata > The client claims that they are not running Appletalk (548) but I'm not sure > whether to believe. We haven't been able to get console access to that > machine to do any further investigation (but have blocked it upstream). Of > the above services, most look legit from what I can tell with the exception > of 548 and 1025-1027 Most probably your client has been rooted. Among above services, following are especially easy to hack: - netbios (brute force attack on Administrator account) - http (whole lot of exploits, running on nonpatched IIS) - sql-server (default empty password for 'sa' account; brute force attack if password is not empty) I think you client have no idea what's going on their servers, and they will keep claiming that "everything is fine" till they find their data at the competition site :/ From above list its almost obvious that they do not have a clue about security and should not be connected to the Internet. Kind regards, B. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:33:12 PST