We've seen lots of compromises on Windows 2K/XP boxes with evidence of earlier (Mar-May) compreomises. We have found cmd.exe backdoors at ports 1111:tcp and 2468:tcp plus lots of xdcc bots. Only one problem: we don't know how they are getting in. We are pretty sure it is not the following: o virus from email or web browsing o weak passwords o problems with media player. o open shares The only common denominator we found is SMB. We had large 445:tcp scans around the same time as the latest compromises. Could it be: http://online.securityfocus.com/bid/5556 Bob Todd -------------------------------------------------------- Advanced Research Corporation (r) http://www-arc.com ----- Original Message ----- From: "Baribault, Gary" <garyat_private> To: "H C" <keydet89at_private>; "Bronek Kozicki" <brokat_private>; <incidentsat_private> Sent: Friday, September 06, 2002 5:35 PM Subject: Re: Q328691 ? > Microsoft themselves have admitted that there was a dramatic increase in > attacks on Win2K servers .. this is public knowledge .. they have not given > out all of the details, and this 'could' be using known existing problems, > but it did not sound like that from their explanations. > > They claim that they have .bat files and known Trojans from the compromised > systems, but that they do not consider the attacks to be a 'worm'. > > I don't know why you are disputing the increase just because there have > been no details revealed yet. The gentleman just said that there was an > increase in attacks. > > Gary B > > At 02:09 PM 9/6/2002 -0700, H C wrote: > >Increase in attacks? How so? > > > >My idea is this...the alert says absolutely nothing of > >use. > > > > > >--- Bronek Kozicki <brokat_private> wrote: > > > There seems to be an increase of attacks on Windows > > > recently: > > > > >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691 > > > > > > Any ideas? > > > > > > > > > B. > > > > > > > > > > > > > >--------------------------------------------------------------------------- - > > > This list is provided by the SecurityFocus ARIS > > > analyzer service. > > > For more information on this free incident handling, > > > management > > > and tracking system please see: > > > http://aris.securityfocus.com > > > > > > > > >__________________________________________________ > >Do You Yahoo!? > >Yahoo! Finance - Get real-time stock quotes > >http://finance.yahoo.com > > > >--------------------------------------------------------------------------- - > >This list is provided by the SecurityFocus ARIS analyzer service. > >For more information on this free incident handling, management > >and tracking system please see: http://aris.securityfocus.com > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 08:24:37 PDT