Hi,
> -----Original Message-----
> From: H C [mailto:keydet89_at_yahoo.com]
> Sent: Wednesday, 8 May 2002 2:56 AM
> To: Edwards, David (JTS); incidents_at_securityfocus.com
> Subject: Re: netbuie.exe, scorpionsearch.com and
> fastcounter.bcentral.com
>
> David,
>
> What other info can you provide about this? Do you
> know how this file got on the box? What other
> services are running? Are there any other files
> associated with this?
We don't know where it came from at the moment.
proxy logs show it started connecting to scorpionsearch
etc at 8:57 May 6th CST.
[snip]
> For example, I assume you found the sites the file was
> hitting based on IDS or firewall logs...right? What
> else have you done? Have you checked the filesystem
> for other new files? What about processes, network
> connections, etc?
The binary has the sites hard-coded as unicode strings.
Apart from netbuie.exe, there was nothing obvious in the
process table.
We've taken the box off-line and gathering information
at the moment. We're also looking at our backups.
We've found at least one other file probably associated
with it. It's called NBSetup.exe.
Company name in the Version information says: MiKrOsOFT.
This was found in c:\windows\system (note the box is a
Win2k Server, not Win95/8). It was owned by the local
administrators group (not domain admin)
I'm looking through the firewall logs at the moment.
There are some very odd entries there from this machine
but I'm not confident that they are related as yet.
ciao
dave
---
Dave Edwards
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355
mailto: edwards.dave_at_saugov.sa.gov.au
Snail : Justice Technology Division
GPO Box 2048, Adelaide 5001
---
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on May 08 2002
Intro
