--On Friday, June 04, 2004 03:55:05 PM -0500 insecure
<[EMAIL PROTECTED]> wrote:
McAfee 7.1.0 with DAT 4364 (6/2/04) detects it as BackDoor-CCT. This is
not a worm, it's a trojan. Your systems are being remotely compromised,
possibly with an auto-rooter targeting the lsass vulnerability, which
instructs the compromised system to download, install, and run this
trojan. This trojan includes a keystroke logger, and additional
components that you seem to have missed. Assume that system and any web
site passwords have been compromised. Warn the users of these systems
that unless they change any financial site passwords they are likely to
be victims of theft.
How are these system getting compromised? Why don't you have this patch
deployed yet? Why are these systems reachable from the Internet over port
445?
For someone who knows nothing about his network, you sure are willing to
make a lot of assumptions. You admit you don't know how the systems were
compromised and you don't know what compromised them, yet you castigate him
for leaving port 445 open and not patching and you assume this happened
*remotely*?
You've got more problems than new worms.
One of which is miserable comforters.
Paul Schmehl ([EMAIL PROTECTED])
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
