OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: H C (keydet89_at_yahoo.com)
Date: Wed Jul 10 2002 - 12:39:55 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > Having done a superficial examination
    > of system directories on those machines (they had a
    > publicly accesible
    > share, ergo I was invited, wasn't I? <g>)

    Uh...no, you weren't. Just b/c a share is publicly
    accessible, does NOT, in fact, mean that you were
    invited. This is simply the age-old rhetoric used to
    justify malicious actions. While many admins have
    said that they would be very happy to be told by an
    outsider that they had a vulnerable machine, to date
    not a single one has said that they'd be happy to have
    that person access the machine via some vulnerability
    and take files.

    > I downloaded 3 of them and they all seem to be
    > compressed executables

    As with your previous posts, this one is incredibly
    vague and lacking in any useful information.
    Compresses with what? PKZip? UPX? What version?
    Did you uncompress the files?

    > having a common prefix,

    If you're referring to the first couple of bytes of
    the file, "MZ" is the common prefix for executables on
    Windows systems.

    > and there are some fragments
    > of strings ("rom",
    > "y smt", ") with", "ESM", "Mime-", "-Typ", "quit"
    > etc) in that common
    > prefix suggesting there is some SMTP implementation
    > there--presumably
    > some kind of malware able to spread via email.

    Did you run strings on the compressed or uncompressed
    file?
     
    > But I did not find anything similar on other
    > machines I examined.

    Interesting how you've posted to a public list,
    basically stating that while you refuse to do any
    testing on your end to verify that the activity you're
    seeing is a worm (in your own words to me via email,
    you're "too lazy"), you're more than willing to access
    vulnerable systems and take files...

    __________________________________________________
    Do You Yahoo!?
    Sign up for SBC Yahoo! Dial - First Month Free
    http://sbc.yahoo.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com