Re: netbios vuln

> I posted this question to the list 3 weeks ago but the moderator
> failed to act on my post and thus it was returned to me. I have
> been a ridicilious amount of netbios traffic at my main firewall.

Probably Opaserv...

> This morning I read this article. It seems to hint at a way to run

It hints that rather weakly.

But note that Opaserv itself could be described, rather loosely, in those terms, so...

> ... now my question is does anyone know

You have posted far too little information for anyone to contribute anything strongly meaningful. A report such as

   I have been ["seen"?] a ridicilious amount of netbios traffic at    my main firewall.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

hardly counts as a useful data point. Perhaps there was a reason your initial post was dropped...

> ... is anyone seeing the netbios traffic and

I think you'll find lots of people are, though its probably tailing off somewagt now.

> finally is it just the author of the article (who is not a security
> writer like a brian mcwillaims or a thomas greene) didnt really
> understand what was going on? This was from the securitynewsportal
> site.

There could be an element of that too...

> A teenage hacker attacked an online chatroom run by The Edge radio
<<blah, blah, blah>>
>
> ... The teenager claims to have written a trojan program

This is, as I said above, a sufficiently loose decription of how Opaserv works. It scans the IP address space looking for machines apparently running SMB over TCP/IP then tries faking the full one-character password space to "crack" Win9x/ME machines not patched against MS00-072. If it suceeds in connecting to the C: drive of such a machine, it then writes a copy of itself to the machine and a startup command in a system configuration file and starts all over again from that machine when it is next restarted.

This is all enabled by a horrendous comedy of errors starting with a mind-numbingly stupid (in security terms) "feature" of the share- level password authentication scheme, the ease with which MS allows this "not really secure enough for physically secured networks anyway" to be enabled on a (by design) grossly insecure and largely unaudited public network such as the Internet, the default binding of network protocols and services on thoses OSes such that, by default, nearly every such machine with an Internet connection will be publicly exposing this vulnerability, teh default use of entirely predictable share names and installation directories, and so on...

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> The infected computers (bots - short for robots) signal their

And this is just a different payload to the basic Opaserv installation mechanism.

In fact, it could even be easier than this. Thousands upon thousands of Windows machines on the Internet have publicly exposed shares _with no password at all_ exposing their system directories to whoever wishes to rape and/or plunder.

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com