RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Tue May 07 2002 - 19:50:01 PDT

Next message: Nick FitzGerald: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"

Previous message: H C: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Maybe in reply to: Edwards, David (JTS): "netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Rainer Duffner: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Nick FitzGerald: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Reply: Rainer Duffner: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

> -----Original Message-----
> From: Nick FitzGerald [mailto:nick@virus-l.demon.co.uk]
> Sent: Wednesday, 8 May 2002 10:49 AM
> To: incidentsat_private
> Cc: Edwards, David (JTS)
> Subject: Re: netbuie.exe, scorpionsearch.com and
> fastcounter.bcentral.com
> 
> "Edwards, David  (JTS)" <Edwards.Daveat_private> wrote:
> 
> > We've just found some instances of "netbuie.exe" running in 
> > some terminal server sessions here.  The file was written to the 
> > Winnt\system32 directory about 6:00pm on Sunday and registry 
> > entries made in:
> > 
> > HKLM/Software\Microsoft\windows\current version\run
> > HKLM/Software\Microsoft\windows\run
> 
> First, why do non-admin users even have write access to these keys?
> 
> If they don't, you clearly need to revise your site's judgments about 
> who is worthy of having admin (equivalent) passwords.

Hmmm, who rattled your chain..  Are you saying that the
only way this incident could have happened is if one of 
our administrators stuffed up?

And no, domain users do not have write access to those keys.

> > This sounded familiar (when I first saw it) but I haven't 
> > been able to find any other references so I thought I'd 
> > make one :-)   The worry is (of course) that the server 
> > is further compromised.  Anyone seen this before?
> 
> Can't help you on the likely entry point, but given that non-admin 
> users can change crucial registry key contents or that some of your 
> admins are incompetent, I'm not sure that compromise via open 
> security vulnerabilities is the most obvious path of entry...

<Step back, let that one through to the keeper>

[snip]

Thanks for your "constructive" comments.  

However, it's too early to tell if it's a virus.  
There is no indication that it's spreading on our network.

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.daveat_private
Snail : Justice Technology Division 
        GPO Box 2048, Adelaide 5001
---




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Nick FitzGerald: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Previous message: H C: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Maybe in reply to: Edwards, David (JTS): "netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Rainer Duffner: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Next in thread: Nick FitzGerald: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Reply: Rainer Duffner: "Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 07 2002 - 21:28:06 PDT