Security Incidents mailing list archives
Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com
From: "Rainer Duffner" <rainer () ultra-secure de>
Date: Tue, 07 May 2002 18:12:09 +0200
Edwards, David (JTS) writes:
Hi,We've just found some instances of "netbuie.exe" running in some terminalserver sessions here. The file was written to the Winnt\system32
[snip]
Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server patches missing and 2 IE6. This sounded familiar (when I first saw it) but I haven't been able to find any other references so I thought I'd make one :-) The worry is (of course) that the server is further compromised. Anyone seen this before?
No, but if one of the missing patches was the one against the "DebPloit", then the person could really have done "anything".And thus it is, as always, best to reload the OS.
Does system32 still have full control for everybody ?Or was the file written by an administrator ?
cheers,Rainer
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Rainer Duffner Munich rainer () ultra-secure de Germany http://www.i-duffner.de Freising ======================================== When shall we three meet again In thunder, lightning, or in rain?~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com H C (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Nick FitzGerald (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Brian McWilliams (May 09)
- <Possible follow-ups>
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 07)
- Re: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Rainer Duffner (May 08)
- RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com Edwards, David (JTS) (May 08)