Re: Possible First Crypto Virus Definitely Discovered!

["Billy B. Bilano" <mr.bill.bilano () email server unix bill bilano biz>]

Kenneth,

These are insidious hackers!

I did what you said and I am getting an exact duplicate of our web site!
They have probably infiltrated the system and are using this to capture our
customers' login information and passing it back to them encrypted! I can't
believe this!

I've already called a local consulting firm and they will be doing an eval
this Thursday of our security measures that we've taken. Then, I am going to
call the webmaster I just fired over this back in and have him sit in front
of their report and see if he has anything to say for himself. Hah!

Also, right before I wrote this message I blocked port 443 in and out on our
firewall at the bank! I will be going over these servers very carefully
tonight to look for anything wacky or goofy.

--------
Mr. Billy B. Bilano, MSCE, CCNA
<http://www.bilano.biz/>
Expert Sysadmin Since 2003!
'C:\WINDOWS, C:\WINDOWS\GO, C:\PC\CRAWL'  -- RMS



----- Original Message ----- 
From: "Ng, Kenneth (US)" <kenng () kpmg com>
To: "'Billy B. Bilano'" <mr.bill.bilano () email server unix bill bilano biz>;
<full-disclosure () lists netsys com>
Sent: Tuesday, June 08, 2004 1:51 PM
Subject: RE: [Full-disclosure] Possible First Crypto Virus Definitely
Discovered!


> Question is, are you supposed to have a SSL server on that box?  If so,
> that's what it is.  If not, then you definitely have a problem.  Try
> connecting to that box with the URL you normally use, just use "https"
> instead of "http".  If you get the "normal" page, then someone turned on
> https without realizing it.  If you get something different, then you
> investigate.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html