Re: IRAQ_OIL.EXE and Port 445 traffic
From: Philip Sloss (stuff@lupwa.org)
Date: 12/16/02
- Next message: Scott Losawyer: "anyone know what hidden32.exe is?"
- Previous message: john: "disabling "add network place""
- In reply to: Tim Blizard: "IRAQ_OIL.EXE and Port 445 traffic"
- Next in thread: neo [mvp outlook]: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Reply: neo [mvp outlook]: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Philip Sloss" <stuff@lupwa.org> Date: Mon, 16 Dec 2002 20:03:05 -0000
"Tim Blizard" <timb@maxit.com.au> wrote in message
news:b2508eb6.0212160754.19375523@posting.google.com...
> To anyone who can help.
>
> On Saturday 14 December 2002 I noticed unexpected traffic on my
> Internet modem. A trace showed large numbers of attempts by my server
> to connect to other servers on port 445. I checked Task Manager and
> found a process called IRAQ_OIL.EXE. When I killed this process, the
> traffic stopped.
It's a new worm:
http://www.dslreports.com/forum/remark,5340211~root=security,1~mode=flat
...we're still analyzing it, but technical information should be available
soon.
> Until I'm sure that I have closed whatever vulnerability allowed this
> file onto my server and can be sure that others are safe from me, I
> have shutdown my Internet link.
It's exploiting null session capabilities to get remote information, so I'd
suggest checking your local security policy. How strong are the passwords
on your system's accounts?
Philip Sloss
- Next message: Scott Losawyer: "anyone know what hidden32.exe is?"
- Previous message: john: "disabling "add network place""
- In reply to: Tim Blizard: "IRAQ_OIL.EXE and Port 445 traffic"
- Next in thread: neo [mvp outlook]: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Reply: neo [mvp outlook]: "Re: IRAQ_OIL.EXE and Port 445 traffic"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
