|
Security Incidents
mailing list archives
netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Tue, 7 May 2002 10:10:06 +0930
Hi,
We've just found some instances of "netbuie.exe" running in some terminal
server sessions here. The file was written to the Winnt\system32 directory
about 6:00pm on Sunday and registry entries made in:
HKLM/Software\Microsoft\windows\current version\run
HKLM/Software\Microsoft\windows\run
It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and
fastcounter.bcentral.com when run. Possibly just generating revenue for
some bod somewhere.
Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
patches missing and 2 IE6.
This sounded familiar (when I first saw it) but I haven't been able to find
any other references so I thought I'd make one :-) The worry is (of
course) that the server is further compromised. Anyone seen this before?
ciao
dave
---
Dave Edwards
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355
mailto: edwards.dave () saugov sa gov au
Snail : Justice Technology Services
GPO Box 2048, Adelaide 5001
---
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
|
Intro
