[nsp-sec] Report of successful WINS (ms09-039) compromise
Gabriel Iovino
giovino at ren-isac.net
Mon Aug 17 17:49:42 EDT 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Gabriel Iovino wrote:
> I'll share more when I get more.
Analyzing some snort and netflow data it appears the miscreants were
able to get a shell on port 42 back to 221.214.82.183:3968.
Then the miscreants did some ftp action to (221.214.82.183:20 &
221.214.82.183:21). Maybe ftp'ing winapp.exe to the compromised WINS
server??
Other potentially interesting netflow data:
compromised host -> 91.205.41.160:80
compromised host -> 65.55.27.220:80
compromised host -> 207.46.211.250:80
Please feel free to share this data with trusted individuals.
Gabe
- --
Gabriel Iovino
Principal Security Engineer, REN-ISAC
http://www.ren-isac.net
24x7 Watch Desk +1(317)278-6630
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkqJ0HYACgkQwqygxIz+pTtYOwCgg909XYJpnw/mVLKUAUC64coE
rMoAn37k8fD7hCXRqXuboLrfCXT4Ljin
=wG+T
-----END PGP SIGNATURE-----
More information about the nsp-security
mailing list