lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <40C0E1A9.5080705@ameritech.net>
From: insecure at ameritech.net (insecure)
Subject: another new worm submission

Perrymon, Josh L. wrote:

>http://www.detroit-x.com/analysis.htm
>
>This is something we found this morning. I have packet captures that I will
>post.
>I have attached the infected files found with FPORT and also registry
>entries.
>
>We found this rebooting machines with the LSASS.exe error similar to Sasser.
>As of 6/4/2004 we found no virus defs to pick it up.
>
>
>Joshua Perrymon
>Sr. Network Security Consultant
>
>  
>
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT.  This is 
not a worm, it's a trojan. Your systems are being remotely compromised, 
possibly with an auto-rooter targeting the lsass vulnerability, which 
instructs the compromised system to download, install, and run this 
trojan. This trojan includes a keystroke logger, and additional 
components that you seem to have missed. Assume that system and any web 
site passwords have been compromised. Warn the users of these systems 
that unless they change any financial site passwords they are likely to 
be victims of theft.

How are these system getting compromised? Why don't you have this patch 
deployed yet? Why are these systems reachable from the Internet over 
port 445?

You've got more problems than new worms.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ