|
Security Incidents
mailing list archives
Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Rainer Duffner" <rainer () ultra-secure de>
Date: Tue, 07 May 2002 18:12:09 +0200
Edwards, David (JTS) writes:
Hi,
We've just found some instances of "netbuie.exe" running in some terminal
server sessions here. The file was written to the Winnt\system32
[snip]
Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k
Server patches missing and 2 IE6.
This sounded familiar (when I first saw it) but I haven't been able to
find any other references so I thought I'd make one :-) The worry is
(of course) that the server is further compromised. Anyone seen this
before?
No, but if one of the missing patches was the one against the "DebPloit",
then the person could really have done "anything".
And thus it is, as always, best to reload the OS.
Does system32 still have full control for everybody ?
Or was the file written by an administrator ?
cheers,
Rainer
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Rainer Duffner Munich
rainer () ultra-secure de Germany
http://www.i-duffner.de Freising
========================================
When shall we three meet again
In thunder, lightning, or in rain?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
|
Intro
