Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: H C (keydet89at_private)
Date: Tue May 07 2002 - 10:25:35 PDT

Next message: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"

Previous message: Deus, Attonbitus: "Publishing Nimda Logs"
In reply to: Edwards, David (JTS): "netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David, 

What other info can you provide about this?  Do you
know how this file got on the box?  What other
services are running?  Are there any other files
associated with this?

I ask b/c I teach an incident response course for 2K,
and I'm always interested in seeing actual
compromises...it helps me tailor my approach and
recommendations.  

For example, I assume you found the sites the file was
hitting based on IDS or firewall logs...right?  What
else have you done?  Have you checked the filesystem
for other new files?  What about processes, network
connections, etc?

I'd also like to ask that if it isn't too much
trouble, could you zip up and send me a copy of that
file, and any other files associated with it?  I'd
like to take a look at it.

Thanks.

--- "Edwards, David  (JTS)"
<Edwards.Daveat_private> wrote:
> Hi,
> 
> We've just found some instances of "netbuie.exe"
> running in some terminal
> server sessions here.  The file was written to the
> Winnt\system32 directory
> about 6:00pm on Sunday and registry entries made in:
> 
> HKLM/Software\Microsoft\windows\current version\run
> HKLM/Software\Microsoft\windows\run
> 
> It seems to be a Vb 5 PE that hits on two web sites,
> scorpionsearch.com and
> fastcounter.bcentral.com when run.  Possibly just
> generating revenue for
> some bod somewhere.
> 
> Looks like the server wasn't fully patched, hfnetchk
> showed 6 Win2k Server
> patches missing and 2 IE6.
> 
> This sounded familiar (when I first saw it) but I
> haven't been able to find
> any other references so I thought I'd make one :-)  
> The worry is (of
> course) that the server is further compromised. 
> Anyone seen this before?
> 
> ciao
> dave
> ---
> Dave Edwards 
> Justice Technology Services
> Ph: +61 8 82265426 || 0408 808355 
> mailto: edwards.daveat_private
> Snail : Justice Technology Services 
>         GPO Box 2048, Adelaide 5001
> ---
> 
> 
> 
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management 
> and tracking system please see:
> http://aris.securityfocus.com
> 

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Previous message: Deus, Attonbitus: "Publishing Nimda Logs"
In reply to: Edwards, David (JTS): "netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:25:22 PDT