Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-
From: pedro (matrixdirtypervert(DELETE)_at_hotmail.com)
Date: 07/13/03
- Previous message: Snuffy2: "USB Flash Drive as a USB Token"
- In reply to: FTP Man: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
- Next in thread: Brian Desmond [MVP]: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 13 Jul 2003 13:53:54 +0100
"FTP Man" <FTP@Man.com> wrote in message news:3F10391C.11B7ECC1@Man.com...
> pedro wrote:
>
> > > When I see this in my NT4 security log, what does it mean? (see
> > > below).
>
> > > -----------------------
> > > Event Viewer
> > > Security log
> > > Object Access
> > > User: System
> > >
> > >
> > > Object Open:
> > > Object Server: Security
> > > Object Type: File
> > > Object Name:
> > > D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
> > > tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
>
> There are more entries like this BTW
>
> > Looks to me like, you dropped your firewall and had a ftp service
> > installed on your system
>
> How does something like this actually get installed?
It gets installed when someone scans and finds a vulnerability in your os,
gains entry usin a reomte access tools and installs a pack including a ftp
server and some remote tools...
>
> Does NAV check for stuff like this?
yes it scans for it, but nav is *** at detecting anythin like this
>
> Any sofware I can run that will detect this stuff - and kill it ?
yes use a process viewer to see what threads any unusal services are using,
trace them and delete them, or check the links at the end of the message
>
> > have a look at you runnin process`s & check for any ftp
> > servers runnin(probly serv-u or raiden), or remote service tools
> > like firedemon or service manager.
> > it`s also possible that the service`s have been cheekily renamed
> > as windows processes like winlogon or svchost, look for multiples
> > of these runnin then its deducting which are rquired by windows
> > to run and which maybe be part of a hack pack,
>
> I have noticed that something called "winlogon" always comes up as
> being shared when I restart the computer (which doesn't happen that
> often) and I always stop sharing it immediately after a re-start.
>
> > you never said what os you run, but i`d bet my last coin it`s win2k
>
> I said above that it's NT4 (NT4 Server, with SP6).
keep your firewall up, if you want me to have a look at your os, drop me a
mail..
until then try these:
http://www.pestpatrol.com/
http://www.belarc.com/free_download.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp
Pedro
- Previous message: Snuffy2: "USB Flash Drive as a USB Token"
- In reply to: FTP Man: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
- Next in thread: Brian Desmond [MVP]: "Re: What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
