RE: TCP port 139 probes

From: H C (keydet89at_private)
Date: Wed Jul 10 2002 - 10:39:55 PDT

Next message: Bill Barrett: "Re: Stolen Card Purchases"

Previous message: Brenna Primrose: "RE: TCP port 139 probes"
In reply to: Pavel Kankovsky: "RE: TCP port 139 probes"
Next in thread: Ryan Russell: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Having done a superficial examination
> of system directories on those machines (they had a
> publicly accesible
> share, ergo I was invited, wasn't I? <g>) 

Uh...no, you weren't.  Just b/c a share is publicly
accessible, does NOT, in fact, mean that you were
invited.  This is simply the age-old rhetoric used to
justify malicious actions.  While many admins have
said that they would be very happy to be told by an
outsider that they had a vulnerable machine, to date
not a single one has said that they'd be happy to have
that person access the machine via some vulnerability
and take files.

> I downloaded 3 of them and they all seem to be
> compressed executables

As with your previous posts, this one is incredibly
vague and lacking in any useful information. 
Compresses with what?  PKZip?  UPX?  What version? 
Did you uncompress the files?

> having a common prefix, 

If you're referring to the first couple of bytes of
the file, "MZ" is the common prefix for executables on
Windows systems.

> and there are some fragments
> of strings ("rom",
> "y smt", ") with", "ESM", "Mime-", "-Typ", "quit"
> etc) in that common
> prefix suggesting there is some SMTP implementation
> there--presumably
> some kind of malware able to spread via email.

Did you run strings on the compressed or uncompressed
file?  
 
> But I did not find anything similar on other
> machines I examined.

Interesting how you've posted to a public list,
basically stating that while you refuse to do any
testing on your end to verify that the activity you're
seeing is a worm (in your own words to me via email,
you're "too lazy"), you're more than willing to access
vulnerable systems and take files...


__________________________________________________
Do You Yahoo!?
Sign up for SBC Yahoo! Dial - First Month Free
http://sbc.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Bill Barrett: "Re: Stolen Card Purchases"
Previous message: Brenna Primrose: "RE: TCP port 139 probes"
In reply to: Pavel Kankovsky: "RE: TCP port 139 probes"
Next in thread: Ryan Russell: "RE: TCP port 139 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 10:45:32 PDT