[unisog] New exploit

Jon Mitchiner jon.mitchiner at gallaudet.edu
Tue Nov 11 18:08:55 GMT 2003


When you examined a computer did you use Sysinternal tools (TCPView and
Process Explorer) at http://www.sysinternals.com/ntw2k/utilities.shtml

Usually when a computer is exhibiting strange behavior one of those two
tools will help you identify unusual programs running.

The most common way that a computer is breached is either a) weak or blank
passwords or b) machine was not kept up to date.

Jon
----- Original Message ----- 
From: "Allison MacFarlan" <allison.macfarlan at yale.edu>
To: <unisog at sans.org>
Sent: Tuesday, November 11, 2003 12:43 PM
Subject: [unisog] New exploit


> We are trying to identify something that is going on here, and wonder if
you're
> seeing this at your campuses (all of them, not just one):
>
> -waves of spoofed addresses trying to get out to various IPs and IRC
locations
> (these get dropped, but they tie up the routers with traffic);
> -when a machine is examined, it has the executables characteristic of
> W32.Randex.Y,
> but the virus is not detected by NAV (no comments);
> -reports from all over that event logs are filling up with login attempts,
both
> successes and failures, suggesting that a password cracker is also part of
this
> package;
> -the machines that are examined are up-to-date with Windows patches and
virus
> definitions, and the virus engine is working.
> -- 
> ++++---++++---++++---++++
> Allison S. MacFarlan
> allison.macfarlan at yale.edu
> ITS Information Security Officer, AM&T
> Yale University
> ph: 203-432-6684
> bp: 203-370-0554
> http://www.yale.edu/its/security
>



More information about the unisog mailing list