Re: netbuie.exe, and

From: Rainer Duffner (
Date: Tue May 07 2002 - 09:12:09 PDT

  • Next message: Deus, Attonbitus: "Publishing Nimda Logs"

    Edwards, David  (JTS) writes: 
    > Hi, 
    > We've just found some instances of "netbuie.exe" running in some terminal
    > server sessions here.  The file was written to the Winnt\system32 
    > Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k 
    > Server patches missing and 2 IE6.
    > This sounded familiar (when I first saw it) but I haven't been able to 
    > find any other references so I thought I'd make one :-)   The worry is 
    > (of course) that the server is further compromised.  Anyone seen this 
    > before?
    No, but if one of the missing patches was the one against the "DebPloit",
    then the person could really have done "anything".
    And thus it is, as always, best to reload the OS. 
    Does system32 still have full control for everybody ?
    Or was the file written by an administrator ? 
    Rainer Duffner                   Munich          Germany        Freising
        When shall we three meet again
      In thunder, lightning, or in rain?
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:18:28 PDT