('binary' encoding is not supported, stored as-is) Hallo Over the past couple days I've noticed an increase in outgoing connections from port range 1033-1040 to port 22226 or 22227 on my Windows 2000 honeypot (no service packs or hot fixes applied). Port 135 connections are dropped by the firewall. All "attacks" start scanning port 445 and port 139. Some of the attacks kill the rpc-daemon others leave a file (winhlpp32.exe) in the system32 directory (known from W32.HLLW.Gaobot.P). Most of the IP addresses are Dial-Up accounts. No keys were written in the registry. Has anybody else seen similar things? Sorry for my lame english. Gereon --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Federal, September 29-30 (Training), October 1-2 (Briefings) in Tysons Corner, VA; the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors. Symantec is the Diamond sponsor. Early-bird registration ends September 6.Visit us: www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 26 2003 - 08:32:02 PDT