[unisog] Windows 2000 break-ins

Chris Stoermer stoermer at unt.edu
Fri Sep 6 21:36:20 GMT 2002

We have seen several of these.  Our investigation leads us to believe that -- in most cases -- the exploit was due to Social Engineering (e.g., end user gets an instant message/PopUp with a URL, clicks the URL, and installs a "phone home" trojan).

>>> "Arnold, Jamie" <harnold at binghamton.edu> 09/06/02 01:33PM >>>
Usually ServUFTP...it's pretty flexible.

-----Original Message-----
From: Russell Fulton [mailto:r.fulton at auckland.ac.nz] 
Sent: Friday, September 06, 2002 2:20 PM
To: unisog at sans.org 
Subject: RE: [unisog] Windows 2000 break-ins

On Sat, 2002-09-07 at 02:03, Arnold, Jamie wrote:
> Duke has a decent description of the IRC XDCC thingie..
> http://security.duke.edu/cleaning/xdcc.html 

hmmm... looks like a hacked ftp daemon, one could detect the ftp commands
going to non ftp ports with snort (we do this anyway) or write 
a specific rule that matches some text in the header.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the unisog mailing list