OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Security (security_at_mail-arc.com)
Date: Fri Sep 06 2002 - 18:37:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    We've seen lots of compromises on Windows 2K/XP
    boxes with evidence of earlier (Mar-May) compreomises.
    We have found cmd.exe backdoors at ports 1111:tcp
    and 2468:tcp plus lots of xdcc bots. Only one problem:
    we don't know how they are getting in. We are pretty
    sure it is not the following:

        o virus from email or web browsing
        o weak passwords
        o problems with media player.
        o open shares

    The only common denominator we found is SMB.
    We had large 445:tcp scans around the same time
    as the latest compromises. Could it be:

           http://online.securityfocus.com/bid/5556

    Bob Todd
    --------------------------------------------------------
    Advanced Research Corporation (r)
    http://www-arc.com

    ----- Original Message -----
    From: "Baribault, Gary" <garybaribault.net>
    To: "H C" <keydet89yahoo.com>; "Bronek Kozicki" <brokrubikon.pl>;
    <incidentssecurityfocus.com>
    Sent: Friday, September 06, 2002 5:35 PM
    Subject: Re: Q328691 ?

    > Microsoft themselves have admitted that there was a dramatic increase in
    > attacks on Win2K servers .. this is public knowledge .. they have not
    given
    > out all of the details, and this 'could' be using known existing problems,
    > but it did not sound like that from their explanations.
    >
    > They claim that they have .bat files and known Trojans from the
    compromised
    > systems, but that they do not consider the attacks to be a 'worm'.
    >
    > I don't know why you are disputing the increase just because there have
    > been no details revealed yet. The gentleman just said that there was an
    > increase in attacks.
    >
    > Gary B
    >
    > At 02:09 PM 9/6/2002 -0700, H C wrote:
    > >Increase in attacks? How so?
    > >
    > >My idea is this...the alert says absolutely nothing of
    > >use.
    > >
    > >
    > >--- Bronek Kozicki <brokrubikon.pl> wrote:
    > > > There seems to be an increase of attacks on Windows
    > > > recently:
    > > >
    > >http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
    > > >
    > > > Any ideas?
    > > >
    > > >
    > > > B.
    > > >
    > > >
    > > >
    > > >
    >
    >---------------------------------------------------------------------------
    -
    > > > This list is provided by the SecurityFocus ARIS
    > > > analyzer service.
    > > > For more information on this free incident handling,
    > > > management
    > > > and tracking system please see:
    > > > http://aris.securityfocus.com
    > > >
    > >
    > >
    > >__________________________________________________
    > >Do You Yahoo!?
    > >Yahoo! Finance - Get real-time stock quotes
    > >http://finance.yahoo.com
    > >
    >
    >---------------------------------------------------------------------------
    -
    > >This list is provided by the SecurityFocus ARIS analyzer service.
    > >For more information on this free incident handling, management
    > >and tracking system please see: http://aris.securityfocus.com
    >
    >
    > -------------------------------------------------------------------------- 

    --
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

    ----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com