[unisog] Re: Coordinated Scan

Goverts IV, Paul pgoverts at sjfc.edu
Thu Apr 4 16:15:46 GMT 2002

It's especially easy if you have a tool such as Nessus, where one of the
plugins actually queries the PC for netbios information, and it can not only
return the names of users that use that PC, but potentially also the names
of other PC's that the PC has browsed on Network Neighborhood.


-----Original Message-----
From: Jenett Tillotson [mailto:jtillots at pharmacy.purdue.edu] 
Sent: Thursday, April 04, 2002 9:04 AM
To: unisog at sans.org
Subject: RE: [unisog] Re: Coordinated Scan

Let me also add that I think this was the result of poor user habits.  3
of the boxes that were broken into had a blank administrator password.
Also, there were logs of other attempts on campus where one box had 160
attempts to log into an account with administrator privileges.

What puzzles me is that none of the accounts involved were actually the
administrator account, but another account with administrator privilege.
Excuse my ignorance with Microsoft products, but how does a hacker find
out the usernames on a Windows box?

Jenett Tillotson
School of Pharmacy
Purdue University

On Wed, 3 Apr 2002, Terry Cavender wrote:

> You may also want to read this and note the security warning at the
> 	http://www.firedaemon.com/
> Seems like a good product.
> --On Wednesday, April 03, 2002 9:03 AM -0800 Huba Leidenfrost
<huba at uidaho.edu> wrote:
> >
> > Hash: SHA1
> >
> > We fired off sample copies of what we saw here (as probably did many
> > of you) to SOPHOS, NAV, & F-Secure.  F-Secure now has detection for
> > this and I'm sure the others will follow.
> >
> > I haven't seen a conclusive writeup.  However it would appear that
> > this is just another rendition of the global threat (GT Bot) as
> > mentioned earlier (http://bots.lockdowncorp.com/gtbot.html).
> > Although we still don't know exactly what the dropper was I'm
> > inclined to believe that the reason was simply poor user habits in
> > terms of surfing and password settings.  All the systems we saw
> > hacked were 2000 Professional where the user had set their
> > administrator password to nothing.
> >
> >    H  u  b  a
> > - -
> > HUBA LEIDENFROST           Systems Security Analyst
> > huba at uidaho.edu     Information Technology Services
> > University Of Idaho      TEL/FAX: 208.885.2126/7539
> > http://www.its.uidaho.edu/info-security/runsafe.htm
> >

More information about the unisog mailing list