On Wed, 10 Jul 2002, Dan Irwin wrote:
> At least one of these machines appeared to be insecure and i could
> enumerate shares etc with smbclient -L.
Bingo. I looked at some of the source addresses and saw windows
9x machines with publicly accesible shares (I could access them using
an empty username and password). In two or three cases, I checked whether
the share was writable and it was. Having done a superficial examination
of system directories on those machines (they had a publicly accesible
share, ergo I was invited, wasn't I? <g>) I found some wierd files on one
of those machines:
winhlp32.exe A 317440 Fri Jul 5 15:43:08 2002
notepad.exe A 317440 Fri Jul 5 15:43:08 2002
control.exe A 317440 Fri Jul 5 15:43:08 2002
scanregw.exe A 317440 Fri Jul 5 15:43:08 2002
ifnhlp.sys A 317440 Tue Jul 9 22:20:00 2002
scanregw.exe A 317440 Fri Jul 5 15:43:40 2002
loadpe.com A 317440 Fri Jul 5 15:43:40 2002
msiexec.exe A 317440 Fri Jul 5 15:43:08 2002
wf2k.exe A 317440 Fri Jul 5 15:43:40 2002
I downloaded 3 of them and they all seem to be compressed executables
having a common prefix, and there are some fragments of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common
prefix suggesting there is some SMTP implementation there--presumably
some kind of malware able to spread via email.
But I did not find anything similar on other machines I examined.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 08:46:53 PDT