To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
----------
In over a year of watching bots this is the first I have seen one
exploit a blank admin password. Has anyone seen this before? My rule
triggers on the Hex string for exploiting and has 99.99 positive sig.
bigfoot
#(19 - 10203730) [2006-03-04 12:49:28] [snort/100002481] BOT bot host
exploitingA
IPv4: xx.xx.xx.179 -> 140.113.216.36
hlen=5 TOS=0 dlen=156 ID=22791 flags=0 offset=0 TTL=125
chksum=16122
TCP: port=1034 -> dport: 5599 flags=***AP*** seq=894155347
ack=2843044703 off=5 res=0 win=64909 urp=0 chksum=58091
Payload: length = 116
000 : 50 52 49 56 4D 53 47 20 23 64 69 73 63 75 73 73 PRIVMSG #discuss
010 : 69 6F 6E 20 3A 5B 53 43 41 4E 4E 45 52 5D 20 4E ion :[SCANNER] N
020 : 65 74 42 69 6F 73 3A 20 45 78 70 6C 6F 69 74 69 etBios: Exploiti
030 : 6E 67 20 49 50 3A 20 5C 5C 41 31 31 2F 21 31 2E ng IP: \\10.12.
040 : 42 42 2E 42 5C 41 64 6D 69 6E 24 2C 20 41 64 6D 65.78\Admin$,
Adm
050 : 69 6E 69 73 74 72 61 74 6F 72 2F 28 42 6C 61 6E inistrator/(Blan
060 : 6B 29 20 28 43 72 65 61 74 65 53 65 72 76 69 63 k) (CreateServic
070 : 65 29 0D 0A e)..
_______________________________________________
botnets mailing list
To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
