14-07-04

radmin hack attack

The hacked computers have the following characteristics
- They are all scanning the Internet for hosts listening on port 1433
- They are all listening on port 26101 TCP (radmin renamed to lsass.exe in c:winnt)
- The file tapiui.exe was found in the c:winntsystem32 directory and it was the FTP server listenting on port 35894.
- The file "kill.exe" was found in the root of the c drive
- They all listen on the following port for FTP:
Port: 35894
Banner: 220 Microsoft FTP Server
- The file tapiui.exe was found in the c:winntsystem32 directory and it was the FTP server listenting on port 35894.
http://isc.sans.org/diary.php?date=2004-07-09

00:40 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.