Subj : Bugbear.A virus notes
To   : Mike Ruskai
From : Mike Luther
Date : Mon Oct 14 2002 09:42 am

But in this case, Mike ..

MR> The GUEST account has no access to any shares in OS/2
MR> unless you explicitly
MR> grant it access.  In other words, there's no
MR> vulnerability unless you take
MR> specific actions to create one.

I used GUEST ... with a password.  It was used for planned access, but
passworded.  In theory, it shouldn't have been compromiseable but somehow was.
I only got two passes at this to research.  The first one was complete
surprise.  The second one I missed just the very start of the attack with the
trace, so we didn't learn exactly what the first few packets were like,

It would have been nice to know exactly where the hole was.  But with time so
fleeting and no spare equipment to set up a 'pot', I opted to just get rid of
Netbios over TCP/IP that wasn't needed on the box at that point.

If you have any theory on how this might have taken place passworded, I'd like
to know your thoughts.  Several others spent a good period of research time
looking at the packet trace and so on.  Far more informed that I'll ever be at
networking.  They came away puzzled as well in that there appeared to be no PW
crack run or whatever associated with the incidents.

One other part of the puzzle might be useful.  In this case the passworded
GUEST account had been used prior to the attack(s).  I'm not sure about what
the status of the connection being active at these starting point, whether the
share was actually in use or not.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
* Origin: Ziplog Public Port (1:117/3001)

You are viewing proxied material from cvs.synchro.net. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.