Hi, We've just found some instances of "netbuie.exe" running in some terminal server sessions here. The file was written to the Winnt\system32 directory about 6:00pm on Sunday and registry entries made in: HKLM/Software\Microsoft\windows\current version\run HKLM/Software\Microsoft\windows\run It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and fastcounter.bcentral.com when run. Possibly just generating revenue for some bod somewhere. Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server patches missing and 2 IE6. This sounded familiar (when I first saw it) but I haven't been able to find any other references so I thought I'd make one :-) The worry is (of course) that the server is further compromised. Anyone seen this before? ciao dave --- Dave Edwards Justice Technology Services Ph: +61 8 82265426 || 0408 808355 mailto: edwards.daveat_private Snail : Justice Technology Services GPO Box 2048, Adelaide 5001 --- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 08:51:37 PDT