Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > Announcements and Chat > General Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old 1st October 2002, 10:53   #1  |  Link
Koepi
Moderator
 
Koepi's Avatar
 
Join Date: Oct 2001
Location: Germany
Posts: 4,455
New worm in the wild searching samba/windows shares?

Hi,

since it's not video related I'll post here

Since ~3-4 days I can find many netbios-ssn (port 139) connection attempts in our networks from the outside. I know that e.g. Nimda infected windows shares but it never actively scanned the "entire" internet - it just used the "windows neighbourhood" for this.

So this must be some new virus/worm scanning in the wild for potential victim systems.

I don't know if it's a samba exploit or if just windows is affected (I upgraded to latest stable samba 2.2.5 and blocked that port within the firewall additionally to my old smb.conf denying connects from there... just to be "sure" ).

My question is: has anyone further informations about this? I can't find anything on bugtraq or in the emergency-virii-announcements of the antivirii-companies...

Thanks,

regards,
Koepi
Koepi is offline   Reply With Quote
Old 1st October 2002, 14:49   #2  |  Link
Swede
Deputy
 
Swede's Avatar
 
Join Date: Jan 2002
Location: Sthlm, Sweden
Posts: 1,400
And there's nothing on cert either. I guess you've already checked http://www.cert.org/current/scanning.html
Swede is offline   Reply With Quote
Old 2nd October 2002, 07:54   #3  |  Link
tanksimpson
Registered User
 
Join Date: Nov 2001
Posts: 49
Koepi, I remember a while back that there were some shady "p2p" mp3/divx search programs that snooped people hard drives for open SMB shares (i.e. without their knowledge/permission). Here is a link I found describing one such program, which went out of business, but I don't doubt that there are others:

http://www.infoworld.com/articles/hn...r.xml?0717mnpm

Maybe the "hits" you are getting on the ports Samba uses are just some snoopware looking for an unprotected Windows share with free music/porn/whatever on it, not necessarily a Samba specific exploit. Fortunately Linux gives you the tools to detect/prevent snoops
tanksimpson is offline   Reply With Quote
Old 2nd October 2002, 12:05   #4  |  Link
auenf
avatar doesn't support IE
 
auenf's Avatar
 
Join Date: Feb 2002
Location: The Great Southland
Posts: 2,238
dunno about netbios based, but this worm seems to have picked up lately (got 2 today, to different accounts) http://www.sarc.com/avcenter/venc/da...ugbear@mm.html

and it has a backdoor to do quite a bit.

Enf...
auenf is offline   Reply With Quote
Old 5th October 2002, 13:33   #5  |  Link
Koepi
Moderator
 
Koepi's Avatar
 
Join Date: Oct 2001
Location: Germany
Posts: 4,455
http://www.sarc.com/avcenter/venc/da...oval.tool.html

This is the virus I was looking for (and the removal tool).

Finally some info about it

Regards,
Koepi
Koepi is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 08:26.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.