Security Incidents mailing list archives
netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>
Date: Tue, 7 May 2002 10:10:06 +0930
Hi, We've just found some instances of "netbuie.exe" running in some terminal server sessions here. The file was written to the Winnt\system32 directory about 6:00pm on Sunday and registry entries made in: HKLM/Software\Microsoft\windows\current version\run HKLM/Software\Microsoft\windows\run It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and fastcounter.bcentral.com when run. Possibly just generating revenue for some bod somewhere. Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server patches missing and 2 IE6. This sounded familiar (when I first saw it) but I haven't been able to find any other references so I thought I'd make one :-) The worry is (of course) that the server is further compromised. Anyone seen this before? ciao dave --- Dave Edwards Justice Technology Services Ph: +61 8 82265426 || 0408 808355 mailto: edwards.dave () saugov sa gov au Snail : Justice Technology Services GPO Box 2048, Adelaide 5001 --- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)