Incidents Mode:
(Page 16 of 170)  < Prev  11 12 13 14 15 16 17 18 19 20 21  Next >
Website Defacement 2006-06-07
killy (killfactory gmail com)
Hi everyone,

Here is a peice of an IIS 6 log file of a recently defaced site.

##after a few failed attempts this one was successful
2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349
2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - -

[ more ]  [ reply ]
Re: Strange mail with number in subject line and body 2006-06-07
Anthony Petito (anthonypetito gmail com)
There's a thread floating around in Gmail Groups discussion boards
talking about the same thing. Except the discussion is more of a "OMG
GMail's hacked" since the emails appear to be coming from the user
themselves but also places that same item in their Sent Items folder.
No official work from Goo

[ more ]  [ reply ]
RE: Strange mail with number in subject line and body 2006-06-07
Shaffer, Bruce (security stsgi com)
We've seen enough that I sent out a warning to all users in my domain to
delete. It seems that the source mail server is being spoofed as well
as the source address. My analysis shows each e-mail having a separate
source address coming from all over the US and Amsterdam, I didn't see
any other cou

[ more ]  [ reply ]
Re: Re: Strange mail with number in subject line and body 2006-06-07
junkmail babtras com (1 replies)
They are not from any particular IP. 3 that I looked at came from a Bell South IP, an IP in RIPE, and an IP in APNIC. Seems to be a bot network.

My best guess is that this is meant to poison the statistics of bayesian mail filters and trick them into letting spam through.

-----------------------

[ more ]  [ reply ]
Re: Re: Strange mail with number in subject line and body 2006-06-07
Christine Kronberg (seeker shalla de) (1 replies)
Re: Re: Strange mail with number in subject line and body 2006-06-07
Jamie Riden (jamesr europe com)
Strange mail with number in subject line and body 2006-06-06
paul.johnson8 (at) gmail (dot) com [email concealed] (paul johnson8 gmail com) (4 replies)
We have received a few strange emails (from Korea and France) which
lists a three character number in the subject line and a different
three digit character number in the body, no attachments.

The sender (from field) has been spoofed and displays the receivers
name (to field).

I did a search on go

[ more ]  [ reply ]
Re: Strange mail with number in subject line and body 2006-06-07
Isaac Perez (suscripcions tsolucio com)
Re: Strange mail with number in subject line and body 2006-06-07
Russell Fulton (r fulton auckland ac nz)
RE: Strange mail with number in subject line and body 2006-06-07
Poof (poof fansubber com) (1 replies)
RE: Strange mail with number in subject line and body 2006-06-07
Trevor Jennings (trevor mytek net)
Re: Strange mail with number in subject line and body 2006-06-07
Jamie Riden (jamesr europe com) (1 replies)
RE: Strange mail with number in subject line and body 2006-06-07
Tim Boyer (jim denmantire com)
Re: Compromised Windows Server 2006-06-06
ross contextshift com
We're seeing one of our clients struggling from 139 and 445 scanning (a lot of windows desktops). It looks like the've been hit but I don't have access to any of the machines to investigate deeper. It's being blocked at the firewall so it's not contributing to the noise.

Us and 1/2 of our clients a

[ more ]  [ reply ]
Moderator note: Compromised Windows Server thread 2006-06-07
Jesse Gough (jgough securityfocus com)
Hello list,

To save us from rehashing what comes up fairly frequently on Incidents,
I ask that replies to this thread (and future incident response threads
for that matter) focus specifically on details of the incident in question.

Two clashing schools of thought are, "wipe clean and reinstall f

[ more ]  [ reply ]
Re: Compromised Windows Server 2006-06-06
Butterworth, Jim (jim butterworth guidancesoftware com)
Just a guess, but I'd bet the behavior you're seeing is the same method with which you became infected, that is, via TCP 139 and 445. Sounds like a propogation worm.

It will morph on reboot, so use a prog like regshot or regmon to diff the registry.

Check HKLM software Microsoft windowsnt cur

[ more ]  [ reply ]
Re: Re: Compromised Windows Server 2006-06-06
wnorth verizon net
>Some viruses use random filenames. If you've deleted them then there's
>no way to tell for sure what they were - if you do have them, send the
>files to http://www.virustotal.com/ for a diagnosis - though I would
>still re-install the box.

I don't agree with re-installing the box, that's a drastic

[ more ]  [ reply ]
Compromised Windows Server 2006-06-05
Patrick Beam (patrick beam gmail com) (8 replies)
Came in this morning to find a windows 2003 server I manage scanning the
Internet for machines listening on tcp 139 and 445. While looking at the
machine I noticed the following processes running.

Mwvsta.exe found in c:\windows\system32

rundll16.exe c:\windows\system23

Ponoas.exe c:\windows\

[ more ]  [ reply ]
Re: Compromised Windows Server 2006-06-06
Isaac Perez (suscripcions tsolucio com)
Re: Compromised Windows Server 2006-06-07
Macleonard Starkey (macleonard auscert org au)
Re: Compromised Windows Server 2006-06-06
Patrick Beam (patrick beam gmail com) (1 replies)
Re: Compromised Windows Server 2006-06-07
Kees Leune (C J Leune uvt nl)
Re: Compromised Windows Server 2006-06-06
Harlan Carvey (keydet89 yahoo com)
Re: Compromised Windows Server 2006-06-06
Axel Pettinger (api worldonline de)
Re: Compromised Windows Server 2006-06-06
Jason Ross (algorythm gmail com)
Re: Compromised Windows Server 2006-06-06
pauls utdallas edu
Re: Compromised Windows Server 2006-06-06
Jamie Riden (jamesr europe com)
(Page 16 of 170)  < Prev  11 12 13 14 15 16 17 18 19 20 21  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus