Re: FTP and Win2K changed security policy

From: Don Voss (vossat_private)
Date: Wed Nov 20 2002 - 09:23:01 PST

Next message: Chris Gross: "Port 1080"

Previous message: Jeremy: "New scanner?"
In reply to: Bojan Zdrnja: "FTP and Win2K changed security policy"
Next in thread: Johan Augustsson: "Re: FTP and Win2K changed security policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have experienced this .. not exactly the same but I think you should 
direct your research in this direction.

Short version: 

remote location complains about probes from a unit in my area, sends 
logs.

First look at unit .. virus app off .. attempt to restart .. failed .. 
close look .. I can "feel" the background tasks running, mouse skitter, 
video jitter, delays, etc.

Pull it off the net .. start to dig. Found various materials .. buried 
deep was a warez game ftp archive .. 

+ MS IRC material floating in background.

I do not think this is one exploit .. nor yours .. I think it plays out 
like this:

automated scan pounding out exploits or email trojan attachment .. 
regardless .. success posted in lusers IRC area + IRC bots "sharing" the 
trophy. Next luser comes along and "uses" the trophy, and the next .. 

Multiple material from multiple lusers. A combo effect from a open door.

So it goes. Clean house, re-lock the doors. Watch out for net shares 
propagation of these trojans.

regards,
/don

On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:

> I'm sending this 2nd time because I didn't receive any message neither
> from moderator or on ML.
> 
> Hi everyone.
> 
> Today one of employees on my university asked me to check his machine as
> he couldn't use Netmeeting anymore for remote desktop sharing . Some
> people here use Netmeeting to easy control their machines from home (I
> know I should have banned that before on lower level, but ...). After I
> couldn't find his machine on our domain (and he was added) I went to his
> computer and saw that he hasn't got Sophos started at all. Every time I
> tried to start Sophos it would just hang. Things became interesting at
> that point (for me, not him :).

[snip]

_________________________________________________________
Don Voss                v o s s @ a l b a n y . e d u

The most human thing we can do is comfort the afflicted
and afflict the comfortable.  -- Clarence Darrow

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Chris Gross: "Port 1080"
Previous message: Jeremy: "New scanner?"
In reply to: Bojan Zdrnja: "FTP and Win2K changed security policy"
Next in thread: Johan Augustsson: "Re: FTP and Win2K changed security policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Nov 21 2002 - 17:38:44 PST