[Snort-users] WIN2K IRC Trojan
flynngn at ...6811...
Fri Sep 6 14:00:04 EDT 2002
"F.M. Taylor" wrote:
> Dudez, wtf is up with this trojan/hack/bot/win2k exploit that seems to be
> speading itself fairly rapidly. Is there a sig for this yet? Does anyone
> even know how this thing is being spread??
Everyone I've talked to seems to think it spreads through
weak or nonexistent w2k Administrator passwords. If that
is the case, a signature that looks for netbios over tcp
connections to port 139 with the Administrator account
trying to access the C$ share should do the trick.
Security Engineer - Technical Services
James Madison University
More information about the Snort-users