Re: FTP and Win2K changed security policy

From: Don Voss (voss@albany.edu)
Date: 11/20/02

  • Next message: Chris Gross: "Port 1080" 
    From: "Don Voss" <voss@albany.edu>
To: "Bojan Zdrnja" <Bojan.Zdrnja@FER.hr>, <incidents@securityfocus.com>
Date: Wed, 20 Nov 2002 12:23:01 -0500

    I have experienced this .. not exactly the same but I think you should
    direct your research in this direction.

    Short version:

    remote location complains about probes from a unit in my area, sends
    logs.

    First look at unit .. virus app off .. attempt to restart .. failed ..
    close look .. I can "feel" the background tasks running, mouse skitter,
    video jitter, delays, etc.

    Pull it off the net .. start to dig. Found various materials .. buried
    deep was a warez game ftp archive ..

    + MS IRC material floating in background.

    I do not think this is one exploit .. nor yours .. I think it plays out
    like this:

    automated scan pounding out exploits or email trojan attachment ..
    regardless .. success posted in lusers IRC area + IRC bots "sharing" the
    trophy. Next luser comes along and "uses" the trophy, and the next ..

    Multiple material from multiple lusers. A combo effect from a open door.

    So it goes. Clean house, re-lock the doors. Watch out for net shares
    propagation of these trojans.

    regards,
    /don

    On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:

    > I'm sending this 2nd time because I didn't receive any message neither
    > from moderator or on ML.
    >
    > Hi everyone.
    >
    > Today one of employees on my university asked me to check his machine as
    > he couldn't use Netmeeting anymore for remote desktop sharing . Some
    > people here use Netmeeting to easy control their machines from home (I
    > know I should have banned that before on lower level, but ...). After I
    > couldn't find his machine on our domain (and he was added) I went to his
    > computer and saw that he hasn't got Sophos started at all. Every time I
    > tried to start Sophos it would just hang. Things became interesting at
    > that point (for me, not him :).

    [snip]

    _________________________________________________________
    Don Voss v o s s @ a l b a n y . e d u

    The most human thing we can do is comfort the afflicted
    and afflict the comfortable. -- Clarence Darrow

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com