RE : Pubstro rash

From: Bourque Daniel (Daniel.Bourque_at_loto-quebec.com)
Date: 03/17/05

  • Next message: Mark Coleman: "Re: Pubstro rash" 
    To: "'gillettdavid@fhda.edu'" <gillettdavid@fhda.edu>, incidents@securityfocus.com
Date: Thu, 17 Mar 2005 16:37:55 -0500

    Yes you can block TCP/UDP 53 for all except your real DNS server.

    Nobody need DNS/SMTP access from Inside to Outside your firewall. You just
    have to open it for your dedicated server.

    -----Message d'origine-----
    De : David Gillett [mailto:gillettdavid@fhda.edu]
    Envoyé : 17 mars, 2005 15:35
    À : incidents@securityfocus.com
    Objet : RE: Pubstro rash

      Further detail: I'm being told that all of the compromised workstations
    are running 2KPro or NTW. So that suggests that the attackers are getting
    in through a hole that is fixed in XP or its service packs.

    > -----Original Message-----
    > From: David Gillett [mailto:gillettdavid@fhda.edu]
    > Sent: Wednesday, March 16, 2005 5:59 PM
    > To: 'incidents@securityfocus.com'
    > Subject: Pubstro rash
    >
    >
    > A few times in the past, someone has managed to break
    > into one or another of our servers and set up an FTP server
    > ("pubstro") on an unused high port. I'm facing something
    > similar at the moment, but there are some distinct differences:
    >
    > 1. The compromised hosts are workstations, not servers.
    > I'm hoping our field techs will be able to identify a
    > common OS/SP level amongst the compromised machines. No
    > servers appear to be affected.
    >
    > 2. There have been 14 of them in less than 5 days. OUCH.
    >
    > 3. Instead of a random high port, the installed FTP server
    > listens on port 53. Which I can't block, because DNS may
    > need to use it, right?
    >
    > 4. The FTP banners all claim to be the work of "Droppunx".
    >
    > 5. At this point, I don't know how the machines are getting
    > compromised initially. I'd appreciate if anyone else is seeing
    > this pattern and has some insight they'd care to share.
    >
    > David Gillett
    >
    >

  • Next message: Mark Coleman: "Re: Pubstro rash"