Security Incidents mailing list archives
RE: TCP port 139 probes
From: H C <keydet89 () yahoo com>
Date: Wed, 10 Jul 2002 10:39:55 -0700 (PDT)
Having done a superficial examination of system directories on those machines (they had a publicly accesible share, ergo I was invited, wasn't I? <g>)
Uh...no, you weren't. Just b/c a share is publicly accessible, does NOT, in fact, mean that you were invited. This is simply the age-old rhetoric used to justify malicious actions. While many admins have said that they would be very happy to be told by an outsider that they had a vulnerable machine, to date not a single one has said that they'd be happy to have that person access the machine via some vulnerability and take files.
I downloaded 3 of them and they all seem to be compressed executables
As with your previous posts, this one is incredibly vague and lacking in any useful information. Compresses with what? PKZip? UPX? What version? Did you uncompress the files?
having a common prefix,
If you're referring to the first couple of bytes of the file, "MZ" is the common prefix for executables on Windows systems.
and there are some fragments of strings ("rom", "y smt", ") with", "ESM", "Mime-", "-Typ", "quit" etc) in that common prefix suggesting there is some SMTP implementation there--presumably some kind of malware able to spread via email.
Did you run strings on the compressed or uncompressed file?
But I did not find anything similar on other machines I examined.
Interesting how you've posted to a public list, basically stating that while you refuse to do any testing on your end to verify that the activity you're seeing is a worm (in your own words to me via email, you're "too lazy"), you're more than willing to access vulnerable systems and take files... __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP port 139 probes Pavel Kankovsky (Jul 09)
- Re: TCP port 139 probes H C (Jul 09)
- <Possible follow-ups>
- RE: TCP port 139 probes Dan Irwin (Jul 09)
- RE: TCP port 139 probes Pavel Kankovsky (Jul 10)
- RE: TCP port 139 probes Brenna Primrose (Jul 10)
- RE: TCP port 139 probes H C (Jul 10)
- RE: TCP port 139 probes Ryan Russell (Jul 12)
- RE: TCP port 139 probes Pavel Kankovsky (Jul 10)