RE: TCP port 139 probes

From: Brenna Primrose (drxlecterat_private)
Date: Wed Jul 10 2002 - 10:39:43 PDT

Next message: H C: "RE: TCP port 139 probes"

Previous message: zeno: "Re: can't seem to find these tools/rootkit anywhere .."
In reply to: Pavel Kankovsky: "RE: TCP port 139 probes"
Next in thread: H C: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Several of the machines which have probed me are also the same way.
However, I noticed that nearly all of them had some sort of "porn
dialer" installed.  Coincidence?  Probably since obviously these people
have no idea what is on their machines...

Brenna

http://profiles.yahoo.com/absolut_contagion 
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00tat_private 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------

-----Original Message-----
From: Pavel Kankovsky [mailto:peakat_private] 
Sent: Wednesday, July 10, 2002 4:18 AM
To: incidentsat_private
Subject: RE: TCP port 139 probes

On Wed, 10 Jul 2002, Dan Irwin wrote:

> At least one of these machines appeared to be insecure and i could
> enumerate shares etc with smbclient -L.

Bingo. I looked at some of the source addresses and saw windows
9x machines with publicly accesible shares (I could access them using 
an empty username and password). In two or three cases, I checked
whether
the share was writable and it was. Having done a superficial examination
of system directories on those machines (they had a publicly accesible
share, ergo I was invited, wasn't I? <g>) I found some wierd files on
one
of those machines:

  winhlp32.exe                        A   317440  Fri Jul  5 15:43:08
2002
  notepad.exe                         A   317440  Fri Jul  5 15:43:08
2002
  control.exe                         A   317440  Fri Jul  5 15:43:08
2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:08
2002
  ifnhlp.sys                          A   317440  Tue Jul  9 22:20:00
2002
  scanregw.exe                        A   317440  Fri Jul  5 15:43:40
2002
  loadpe.com                          A   317440  Fri Jul  5 15:43:40
2002
  msiexec.exe                         A   317440  Fri Jul  5 15:43:08
2002
  wf2k.exe                            A   317440  Fri Jul  5 15:43:40
2002

I downloaded 3 of them and they all seem to be compressed executables
having a common prefix, and there are some fragments of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common
prefix suggesting there is some SMTP implementation there--presumably
some kind of malware able to spread via email.

But I did not find anything similar on other machines I examined.

--Pavel Kankovsky aka Peak  [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: H C: "RE: TCP port 139 probes"
Previous message: zeno: "Re: can't seem to find these tools/rootkit anywhere .."
In reply to: Pavel Kankovsky: "RE: TCP port 139 probes"
Next in thread: H C: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 10:42:04 PDT