Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
1st October 2002, 10:53 | #1 | Link |
Moderator
Join Date: Oct 2001
Location: Germany
Posts: 4,454
|
New worm in the wild searching samba/windows shares?
Hi,
since it's not video related I'll post here Since ~3-4 days I can find many netbios-ssn (port 139) connection attempts in our networks from the outside. I know that e.g. Nimda infected windows shares but it never actively scanned the "entire" internet - it just used the "windows neighbourhood" for this. So this must be some new virus/worm scanning in the wild for potential victim systems. I don't know if it's a samba exploit or if just windows is affected (I upgraded to latest stable samba 2.2.5 and blocked that port within the firewall additionally to my old smb.conf denying connects from there... just to be "sure" ). My question is: has anyone further informations about this? I can't find anything on bugtraq or in the emergency-virii-announcements of the antivirii-companies... Thanks, regards, Koepi
__________________
Koepi's new media development site |
1st October 2002, 14:49 | #2 | Link |
Deputy
Join Date: Jan 2002
Location: Sthlm, Sweden
Posts: 1,453
|
And there's nothing on cert either. I guess you've already checked http://www.cert.org/current/scanning.html
|
2nd October 2002, 07:54 | #3 | Link |
Registered User
Join Date: Nov 2001
Posts: 49
|
Koepi, I remember a while back that there were some shady "p2p" mp3/divx search programs that snooped people hard drives for open SMB shares (i.e. without their knowledge/permission). Here is a link I found describing one such program, which went out of business, but I don't doubt that there are others:
http://www.infoworld.com/articles/hn...r.xml?0717mnpm Maybe the "hits" you are getting on the ports Samba uses are just some snoopware looking for an unprotected Windows share with free music/porn/whatever on it, not necessarily a Samba specific exploit. Fortunately Linux gives you the tools to detect/prevent snoops |
2nd October 2002, 12:05 | #4 | Link |
avatar doesn't support IE
Join Date: Feb 2002
Location: The Great Southland
Posts: 2,238
|
dunno about netbios based, but this worm seems to have picked up lately (got 2 today, to different accounts) http://www.sarc.com/avcenter/venc/da...ugbear@mm.html
and it has a backdoor to do quite a bit. Enf... |
5th October 2002, 13:33 | #5 | Link |
Moderator
Join Date: Oct 2001
Location: Germany
Posts: 4,454
|
http://www.sarc.com/avcenter/venc/da...oval.tool.html
This is the virus I was looking for (and the removal tool). Finally some info about it Regards, Koepi
__________________
Koepi's new media development site |
|
|