Hi everyone,

Here is a peice of an IIS 6 log file of a recently defaced site.

##after a few failed attempts this one was successful
2006-05-25 04:57:20 POST /_vti_bin/shtml.dll/_vti_rpc - -
200.162.245.64 HTTP/1.1 MSFrontPage/5.0 - 200 349
2006-05-25 04:57:20 POST /_vti_bin/_vti_aut/author.dll - -

[ more ]  [ reply ]

There's a thread floating around in Gmail Groups discussion boards
talking about the same thing. Except the discussion is more of a "OMG
GMail's hacked" since the emails appear to be coming from the user
themselves but also places that same item in their Sent Items folder.
No official work from Goo

[ more ]  [ reply ]

We've seen enough that I sent out a warning to all users in my domain to
delete. It seems that the source mail server is being spoofed as well
as the source address. My analysis shows each e-mail having a separate
source address coming from all over the US and Amsterdam, I didn't see
any other cou

[ more ]  [ reply ]

They are not from any particular IP. 3 that I looked at came from a Bell South IP, an IP in RIPE, and an IP in APNIC. Seems to be a bot network.

My best guess is that this is meant to poison the statistics of bayesian mail filters and trick them into letting spam through.

-----------------------

[ more ]  [ reply ]

We have received a few strange emails (from Korea and France) which
lists a three character number in the subject line and a different
three digit character number in the body, no attachments.

The sender (from field) has been spoofed and displays the receivers
name (to field).

I did a search on go

[ more ]  [ reply ]

We're seeing one of our clients struggling from 139 and 445 scanning (a lot of windows desktops). It looks like the've been hit but I don't have access to any of the machines to investigate deeper. It's being blocked at the firewall so it's not contributing to the noise.

Us and 1/2 of our clients a

[ more ]  [ reply ]

Hello list,

To save us from rehashing what comes up fairly frequently on Incidents,
I ask that replies to this thread (and future incident response threads
for that matter) focus specifically on details of the incident in question.

Two clashing schools of thought are, "wipe clean and reinstall f

[ more ]  [ reply ]

Just a guess, but I'd bet the behavior you're seeing is the same method with which you became infected, that is, via TCP 139 and 445. Sounds like a propogation worm.

It will morph on reboot, so use a prog like regshot or regmon to diff the registry.

Check HKLM software Microsoft windowsnt cur

[ more ]  [ reply ]

>Some viruses use random filenames. If you've deleted them then there's
>no way to tell for sure what they were - if you do have them, send the
>files to http://www.virustotal.com/ for a diagnosis - though I would
>still re-install the box.

I don't agree with re-installing the box, that's a drastic

[ more ]  [ reply ]

Came in this morning to find a windows 2003 server I manage scanning the
Internet for machines listening on tcp 139 and 445. While looking at the
machine I noticed the following processes running.

Mwvsta.exe found in c:\windows\system32

rundll16.exe c:\windows\system23

Ponoas.exe c:\windows\

[ more ]  [ reply ]