[Intrusions] Port Scanning on 1026 & 1027

Leeuwen, Allan van allan.vanleeuwen at orangemail.nl
Wed Sep 7 11:08:31 GMT 2005 

There was an old vulnerability in the messenger service (allowing code
execution under SYSTEM privileges).
That was about 2 years ago though .. If you had not installed that patch
yet .. You would have different problems.

Gr
Allan

-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Andrew Daviel
Sent: Wednesday, September 07, 2005 3:26 AM
To: Intrusions List (GCIA Practicals)
Subject: Re: [Intrusions] Port Scanning on 1026 & 1027


On Thu, 28 Jul 2005, Smith, Donald wrote:

> I believe your correct re: xpsp2 but there are TONS of other windows 
> systems out there. Old exploits continue to be used because they 
> work:)

Just got back from vacation ...

A colleague reports a Windows worm on August 25th identified as
"Hacktool" by Symantec

My network logs (300 bytes/packets or so) include a messenger packet
around the time of the worm infection. This could of course be a total
coincidence ... there is an ICMP packet saying the port was closed.

"SYSTEM ALERT .. STOP! WINDOWS REQUIRES IMMEDIATE
ATTENTION  Windows has found 47 CRITICAL SYSTEM ERRORS! To fix the
erro....."

Seeing as this arrived at 2am local I don't think a user would have
clicked "OK"

Is there anything exploiting these ports now, apart from just spam ?


-- 
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
security at triumf.ca _______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions


===========================================================

De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is alleen bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Hoewel Orange maatregelen heeft genomen om virussen in deze email of attachments te voorkomen, dient u ook zelf na te gaan of virussen aanwezig zijn aangezien Orange niet aansprakelijk is voor computervirussen die veroorzaakt zijn door deze email.

The information contained in this message may be confidential and is intended to be only for the addressee. Should you receive this message unintentionally, please do not use the contents herein and notify the sender immediately by return e-mail. Although Orange has taken steps to ensure that this email and attachments are free from any virus, you do need to verify the possibility of their existence as Orange can take no responsibility for any computer virus which might be transferred by way of this email.

===========================================================

More information about the Intrusions mailing list