Re: FTP and Win2K changed security policy

From: Don Voss <voss(at)albany.edu>
Date: Wed Nov 20 2002 - 12:23:01 EST

I have experienced this .. not exactly the same but I think you should direct your research in this direction.

Short version:

remote location complains about probes from a unit in my area, sends logs.

First look at unit .. virus app off .. attempt to restart .. failed .. close look .. I can "feel" the background tasks running, mouse skitter, video jitter, delays, etc.

Pull it off the net .. start to dig. Found various materials .. buried deep was a warez game ftp archive ..

+ MS IRC material floating in background.

I do not think this is one exploit .. nor yours .. I think it plays out like this:

automated scan pounding out exploits or email trojan attachment .. regardless .. success posted in lusers IRC area + IRC bots "sharing" the trophy. Next luser comes along and "uses" the trophy, and the next ..

Multiple material from multiple lusers. A combo effect from a open door.

So it goes. Clean house, re-lock the doors. Watch out for net shares propagation of these trojans.

regards,
/don

On 18 Nov 2002 at 12:37, Bojan Zdrnja wrote:

> I'm sending this 2nd time because I didn't receive any message neither

[snip]

---

Don Voss                v o s s @ a l b a n y . e d u

The most human thing we can do is comfort the afflicted and afflict the comfortable. -- Clarence Darrow

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Nov 21 20:39:30 2002