RE: netbuie.exe, and

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Tue May 07 2002 - 19:50:01 PDT

  • Next message: Nick FitzGerald: "Re: netbuie.exe, and"

    > -----Original Message-----
    > From: Nick FitzGerald []
    > Sent: Wednesday, 8 May 2002 10:49 AM
    > To: incidentsat_private
    > Cc: Edwards, David (JTS)
    > Subject: Re: netbuie.exe, and
    > "Edwards, David  (JTS)" <Edwards.Daveat_private> wrote:
    > > We've just found some instances of "netbuie.exe" running in 
    > > some terminal server sessions here.  The file was written to the 
    > > Winnt\system32 directory about 6:00pm on Sunday and registry 
    > > entries made in:
    > > 
    > > HKLM/Software\Microsoft\windows\current version\run
    > > HKLM/Software\Microsoft\windows\run
    > First, why do non-admin users even have write access to these keys?
    > If they don't, you clearly need to revise your site's judgments about 
    > who is worthy of having admin (equivalent) passwords.
    Hmmm, who rattled your chain..  Are you saying that the
    only way this incident could have happened is if one of 
    our administrators stuffed up?
    And no, domain users do not have write access to those keys.
    > > This sounded familiar (when I first saw it) but I haven't 
    > > been able to find any other references so I thought I'd 
    > > make one :-)   The worry is (of course) that the server 
    > > is further compromised.  Anyone seen this before?
    > Can't help you on the likely entry point, but given that non-admin 
    > users can change crucial registry key contents or that some of your 
    > admins are incompetent, I'm not sure that compromise via open 
    > security vulnerabilities is the most obvious path of entry...
    <Step back, let that one through to the keeper>
    Thanks for your "constructive" comments.  
    However, it's too early to tell if it's a virus.  
    There is no indication that it's spreading on our network.
    Dave Edwards 
    Justice Technology Services
    Ph: +61 8 82265426 || 0408 808355 
    mailto: edwards.daveat_private
    Snail : Justice Technology Division 
            GPO Box 2048, Adelaide 5001
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:28:06 PDT