[Lancaster] Re: Lancaster digest, Vol 1 #20 - 1 msg

[Andy Baxter]

Thanks doc for the interesting link- not sure if those connections were 
trying make my machine a 'zombie' but they certainly could have been - the 
site I found about 'alevrius_' mentioned a flaw in the microsoft smb server 
where you could get a connection with only the first letter of the password 
(i.e. only 36 tries), and once they had it, they could probably replace one 
of the standard system files with a trojan, and it would run next time you 
booted.

It was interesting technically and also on a human level to see how the bloke 
went about trying to trace back the source of the attacks.

I just did some more research and it looks like the 'alevrius_' and 'gustavo' 
connections at least are trying to spread a worm called 'opaserv' - see 

http://www.sophos.com/virusinfo/analyses/w32opaserva.html 
or
http://www.bitdefender.com/virusi/virusi_descrieri.php?virus_id=101

This isn't a zombie program - just a worm which replicates itself without (as 
far as either of those sites say) doing anything else to your system.

andy

p.s. ethereal runs on windows as well - they've used GTK+ for the windowing 
API. download from www.ethereal.com. the menu option Tools | Protocol 
Hierarchy statistics is useful for finding out the different kinds of packets 
and protocols there are in a logged capture session.


On Tuesday 27 May 2003 2:39 pm, Paul Dougherty wrote:
> Dear Andy and all,
> This might be of interest...Zombies etc                        
> http://grc.com/dos/grcdos.htm
>
>                                                                            
>     Best Wishes
>
>                                                                            
>           Doc