[nsp-sec] Report of successful WINS (ms09-039) compromise
Michael Sinatra
michael at rancid.berkeley.edu
Mon Aug 17 14:03:35 EDT 2009
On 08/17/09 10:45, Mark Boolootian wrote:
> ----------- nsp-security Confidential --------
>
>
>> We just got a report of two WINS servers at a .edu being compromised via
>> the MS09-039[1] vulnerability over the weekend.
>>
>> The only information I have at this moment is the attacking IP was:
>>
>> 221.214.82.183
>
> I've got a system that began spewing high rate traffic to 224.0.1.24:42
> last night. Running netflow shows TCP activity directed to port 42
> of the system just prior to the spew. The source of the TCP activity
> in our case was 221.214.82.185.
We believe we had a machine that was compromised in a similar way a few
days ago. I'll look for the suspect IP address in netflow.
michael
More information about the nsp-security
mailing list