Re: Q328691 ?

From: Security (security@mail-arc.com)
Date: Fri Sep 06 2002 - 16:37:00 PDT

  • Next message: sunzi: "Re: Q328691 ?" 

    We've seen lots of compromises on Windows 2K/XP
boxes with evidence of earlier (Mar-May) compreomises.
We have found cmd.exe backdoors at ports 1111:tcp
and 2468:tcp plus lots of xdcc bots.  Only one problem:
we don't know how they are getting in.  We are pretty
sure it is not the following:

    o virus from email or web browsing
    o weak passwords
    o problems with media player.
    o open shares

The only common denominator we found is SMB.
We had large 445:tcp scans around the same time
as the latest compromises.  Could it be:

       http://online.securityfocus.com/bid/5556



Bob Todd
--------------------------------------------------------
Advanced Research Corporation (r)
http://www-arc.com



----- Original Message -----
From: "Baribault, Gary" <garyat_private>
To: "H C" <keydet89at_private>; "Bronek Kozicki" <brokat_private>;
<incidentsat_private>
Sent: Friday, September 06, 2002 5:35 PM
Subject: Re: Q328691 ?


> Microsoft themselves have admitted that there was a dramatic increase in
> attacks on Win2K servers .. this is public knowledge .. they have not
given
> out all of the details, and this 'could' be using known existing problems,
> but it did not sound like that from their explanations.
>
> They claim that they have .bat files and known Trojans from the
compromised
> systems, but that they do not consider the attacks to be a 'worm'.
>
> I don't know why you are disputing the increase just because there have
> been no details revealed yet. The gentleman just said that there was an
> increase in attacks.
>
> Gary B
>
> At 02:09 PM 9/6/2002 -0700, H C wrote:
> >Increase in attacks?  How so?
> >
> >My idea is this...the alert says absolutely nothing of
> >use.
> >
> >
> >--- Bronek Kozicki <brokat_private> wrote:
> > > There seems to be an increase of attacks on Windows
> > > recently:
> > >
> >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
> > >
> > > Any ideas?
> > >
> > >
> > > B.
> > >
> > >
> > >
> > >
>
>---------------------------------------------------------------------------
-
> > > This list is provided by the SecurityFocus ARIS
> > > analyzer service.
> > > For more information on this free incident handling,
> > > management
> > > and tracking system please see:
> > > http://aris.securityfocus.com
> > >
> >
> >
> >__________________________________________________
> >Do You Yahoo!?
> >Yahoo! Finance - Get real-time stock quotes
> >http://finance.yahoo.com
> >
>
>---------------------------------------------------------------------------
-
> >This list is provided by the SecurityFocus ARIS analyzer service.
> >For more information on this free incident handling, management
> >and tracking system please see: http://aris.securityfocus.com
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 08:24:37 PDT