[unisog] RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files

Daniel G. Epstein depstein at uchicago.edu
Wed Mar 27 06:08:08 GMT 2002


On Tue, Mar 26, 2002 at 11:46:33PM -0600, Daniel G. Epstein wrote:
> strings output, along with an author going by the name of Assassin.  We
> have seen these as trojaned versions of C:\WINNT\system32\W32Time.exe
> and MSTask.exe, but they don't return such an obvious prompt as you
> describe.
 
Oops, I forgot to mention that these binaries were listening on TCP 7
and TCP 1025.  It occurs to me that Tracey Losco from NYU was asking about
port 1025 scans in the "Coordinated Scans" thread . . . perhaps the
scanners were looking for that?

Cheers,

Dan

 
-- 

A boast of "I have been's,"  | Daniel G. Epstein
quoted from foolscap tomes,  | Network Security Officer,
is a shadow brushed away     | Network Security & Enterprise
by an acorn from an oak tree |  Network Systems Administration
or a salmon in a pool.       | NSIT, The University of Chicago
                             | depstein at uchicago.edu

For PGP key see http://security.uchicago.edu/centerinfo/pgpkeys.shtml



More information about the unisog mailing list