Snort mailing list archives

Re: WIN2K IRC Trojan

From: Gary Flynn <flynngn () jmu edu>
Date: Fri, 06 Sep 2002 16:58:37 -0400

"F.M. Taylor" wrote:


Dudez, wtf is up with this trojan/hack/bot/win2k exploit that seems to be
speading itself fairly rapidly.  Is there a sig for this yet?  Does anyone
even know how this thing is being spread??


Everyone I've talked to seems to think it spreads through
weak or nonexistent w2k Administrator passwords. If that
is the case, a signature that looks for netbios over tcp
connections to port 139 with the Administrator account 
trying to access the C$ share should do the trick.

-- 
Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.
http://www.jmu.edu/computing/runsafe


-------------------------------------------------------
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

WIN2K IRC Trojan F.M. Taylor (Sep 06)
- Re: WIN2K IRC Trojan Ian Macdonald (Sep 06)
  - Re: WIN2K IRC Trojan Mike Shaw (Sep 06)
    - Re: WIN2K IRC Trojan F.M. Taylor (Sep 06)
    - Message not available
    - Re: WIN2K IRC Trojan Mike Shaw (Sep 06)
- Re: WIN2K IRC Trojan Gary Flynn (Sep 06)
- <Possible follow-ups>
- RE: WIN2K IRC Trojan Matt Yackley (Sep 06)
  - RE: WIN2K IRC Trojan F.M. Taylor (Sep 06)
    - Re: WIN2K IRC Trojan Michael Scheidell (Sep 06)