Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: FTP and Win2K changed security policy
From: "Don Voss" <voss () albany edu>
Date: Wed, 20 Nov 2002 12:23:01 -0500
I have experienced this .. not exactly the same but I think you should 
direct your research in this direction.

Short version: 

remote location complains about probes from a unit in my area, sends 
logs.

First look at unit .. virus app off .. attempt to restart .. failed .. 
close look .. I can "feel" the background tasks running, mouse skitter, 
video jitter, delays, etc.

Pull it off the net .. start to dig. Found various materials .. buried 
deep was a warez game ftp archive .. 

+ MS IRC material floating in background.

I do not think this is one exploit .. nor yours .. I think it plays out 
like this:

automated scan pounding out exploits or email trojan attachment .. 
regardless .. success posted in lusers IRC area + IRC bots "sharing" the 
trophy. Next luser comes along and "uses" the trophy, and the next .. 

Multiple material from multiple lusers. A combo effect from a open door.

So it goes. Clean house, re-lock the doors. Watch out for net shares 
propagation of these trojans.

regards,
/don



On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:


I'm sending this 2nd time because I didn't receive any message neither
from moderator or on ML.

Hi everyone.

Today one of employees on my university asked me to check his machine as
he couldn't use Netmeeting anymore for remote desktop sharing . Some
people here use Netmeeting to easy control their machines from home (I
know I should have banned that before on lower level, but ...). After I
couldn't find his machine on our domain (and he was added) I went to his
computer and saw that he hasn't got Sophos started at all. Every time I
tried to start Sophos it would just hang. Things became interesting at
that point (for me, not him :).


[snip]

_________________________________________________________
Don Voss                v o s s @ a l b a n y . e d u

The most human thing we can do is comfort the afflicted
and afflict the comfortable.  -- Clarence Darrow



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]