[unisog] Infected windows boxes with IRC controlled trojans on them

H. Morrow Long morrow.long at yale.edu
Thu Apr 11 07:52:07 GMT 2002


We've not seen this and since the beginning of this year we've been blocking
NetBIOS over TCP/IP (including TCP port 445) at our border with the Internet.

We have seen similar attacks however by intruders who managed to get access
to accounts on Unix/Linux machines inside our network and then used the
'smbclient' program to accomplish similar compromises - but on Windows 98 PCs.

The intruder used some scripts to semi-automate their probes and install their
trojan software on the disk shares (they were actually using the 'pico' text
editor to add invocation lines to the remote c:\autoexec.bat and various *.INI files).

We found one such intruder in January (on multiple occassions using different
accounts) in the act of attacking other universities (the intruder was logging in
from yet another University) -- whom we stopped and we notified the other universities.

- H. Morrow Long
  University Information Security Officer
  Yale University, ITS, Dir. InfoSec Office

Gary Flynn wrote:
> 
> Mark Newman wrote:
> >
> > Can anyone comment on the method of exploit?
> >
> > Admin shares and anonymous enumeration have been the commonality with
> > machines here...but, *how* was this done?
> 
> Along the same vein, I'd like to know if anyone that blocks netbios at
> the Internet border has seen this.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 4243 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20020411/a84f8732/smime-0007.bin


More information about the unisog mailing list