Edwards, David (JTS) writes: > Hi, > > We've just found some instances of "netbuie.exe" running in some terminal > server sessions here. The file was written to the Winnt\system32 [snip] > Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k > Server patches missing and 2 IE6. > This sounded familiar (when I first saw it) but I haven't been able to > find any other references so I thought I'd make one :-) The worry is > (of course) that the server is further compromised. Anyone seen this > before? No, but if one of the missing patches was the one against the "DebPloit", then the person could really have done "anything". And thus it is, as always, best to reload the OS. Does system32 still have full control for everybody ? Or was the file written by an administrator ? cheers, Rainer -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rainer Duffner Munich rainer@ultra-secure.de Germany http://www.i-duffner.de Freising ======================================== When shall we three meet again In thunder, lightning, or in rain? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:18:28 PDT