Re: svchost exploit on ports 80, 443 &21
From: Bluto (arf-arf_at_doubleclick.net)
Date: Mon, 05 Apr 2004 06:10:25 -0400
Alastair Smith wrote:
> The technical details of the server are as follows: -
> Windows 2000 Small Business Server with SP4, Exchange 2000 SP3, IE6
> sp1 and all other Microsoft critical updates.
> McAfee Netshield.
There are, reportedly, a number of zero-day exploits (no notice,
no patch) exploits in MS tools and OS being used by professional
black hats, especially in Russia. Obviously, this is hard to
verify. However, it's possible that there are some, and that
your script-kiddie got one (a pro hacker wouldn't advertise,
like yours has done) and used it on you.
But, there's a general consensus, at least in the Windows AND
Linux using community that I'm part of, that anything with ActiveX
is NOT appropriate for exposure to the Internet. And, it
sounds like you may well have some ActiveX 'bits' showing in
public. If so, that may well be an approach you want to reconsider.
ActiveX was designed for convenience, not security.
Also, web mail tools (including those running on Linux) have a
pretty spotty security record -- you may want to see how you
can lock down (and log) those tools further, once you are back
up and running.