|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Brenna Primrose (drxlecter_at_phreaker.net)
Date: Wed Jul 10 2002 - 12:39:43 CDT
Several of the machines which have probed me are also the same way.
However, I noticed that nearly all of them had some sort of "porn
dialer" installed. Coincidence? Probably since obviously these people
have no idea what is on their machines...
Brenna
http://profiles.yahoo.com/absolut_contagion
http://gsa.creighton.edu
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t
creighton.edu
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------
-----Original Message-----
From: Pavel Kankovsky [mailto:peakargo.troja.mff.cuni.cz]
Sent: Wednesday, July 10, 2002 4:18 AM
To: incidentssecurityfocus.com
Subject: RE: TCP port 139 probes
On Wed, 10 Jul 2002, Dan Irwin wrote:
> At least one of these machines appeared to be insecure and i could
> enumerate shares etc with smbclient -L.
Bingo. I looked at some of the source addresses and saw windows
9x machines with publicly accesible shares (I could access them using
an empty username and password). In two or three cases, I checked
whether
the share was writable and it was. Having done a superficial examination
of system directories on those machines (they had a publicly accesible
share, ergo I was invited, wasn't I? <g>) I found some wierd files on
one
of those machines:
winhlp32.exe A 317440 Fri Jul 5 15:43:08
2002
notepad.exe A 317440 Fri Jul 5 15:43:08
2002
control.exe A 317440 Fri Jul 5 15:43:08
2002
scanregw.exe A 317440 Fri Jul 5 15:43:08
2002
ifnhlp.sys A 317440 Tue Jul 9 22:20:00
2002
scanregw.exe A 317440 Fri Jul 5 15:43:40
2002
loadpe.com A 317440 Fri Jul 5 15:43:40
2002
msiexec.exe A 317440 Fri Jul 5 15:43:08
2002
wf2k.exe A 317440 Fri Jul 5 15:43:40
2002
I downloaded 3 of them and they all seem to be compressed executables
having a common prefix, and there are some fragments of strings ("rom",
"y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common
prefix suggesting there is some SMTP implementation there--presumably
some kind of malware able to spread via email.
But I did not find anything similar on other machines I examined.
--Pavel Kankovsky aka Peak [ Boycott
Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for
assimilation."
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]