RE: Pubstro rash
From: David Gillett (gillettdavid_at_fhda.edu)
Date: 03/17/05
- Previous message: David Gillett: "Pubstro rash"
- Next in thread: Nick FitzGerald: "RE: Pubstro rash"
- Reply: Nick FitzGerald: "RE: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <incidents@securityfocus.com> Date: Thu, 17 Mar 2005 12:35:11 -0800
Further detail: I'm being told that all of the compromised
workstations are running 2KPro or NTW. So that suggests that
the attackers are getting in through a hole that is fixed in
XP or its service packs.
> -----Original Message-----
> From: David Gillett [mailto:gillettdavid@fhda.edu]
> Sent: Wednesday, March 16, 2005 5:59 PM
> To: 'incidents@securityfocus.com'
> Subject: Pubstro rash
>
>
> A few times in the past, someone has managed to break
> into one or another of our servers and set up an FTP server
> ("pubstro") on an unused high port. I'm facing something
> similar at the moment, but there are some distinct differences:
>
> 1. The compromised hosts are workstations, not servers.
> I'm hoping our field techs will be able to identify a
> common OS/SP level amongst the compromised machines. No
> servers appear to be affected.
>
> 2. There have been 14 of them in less than 5 days. OUCH.
>
> 3. Instead of a random high port, the installed FTP server
> listens on port 53. Which I can't block, because DNS may
> need to use it, right?
>
> 4. The FTP banners all claim to be the work of "Droppunx".
>
> 5. At this point, I don't know how the machines are getting
> compromised initially. I'd appreciate if anyone else is seeing
> this pattern and has some insight they'd care to share.
>
> David Gillett
>
>
- Previous message: David Gillett: "Pubstro rash"
- Next in thread: Nick FitzGerald: "RE: Pubstro rash"
- Reply: Nick FitzGerald: "RE: Pubstro rash"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
