What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by FTP Ma » Sun, 13 Jul 2003 07:30:04



When I see this in my NT4 security log, what does it mean? (see
below).

On a (related?) topic, what information is being conveyed on this web
page:

http://www.yqcomputer.com/

-----------------------
Event Viewer
Security log
Object Access
User: System


Object Open:
Object Server: Security
Object Type: File
Object Name:
D:\RECYCLER\S-1-5-21-2093158801-1590382355-17523355-500\DD28\.
tagged\~\scanned by\redstar\Parent Directory\for\-=SKBOCA=-
New Handle ID: 196
Operation ID: {0,1437749}
Process ID: 2157530080
Primary User Name: SYSTEM
Primary Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses SYNCHRONIZE
ReadData (or ListDirectory)

Privileges -
 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by pedr » Sun, 13 Jul 2003 17:19:40


Looks to me like, you dropped your firewall and had a ftp service installed
on your system, have a look at you runnin process`s & check for any ftp
servers runnin(probly serv-u or raiden), or remote service tools like
firedemon or service manager.
it`s also possible that the service`s have been cheekily renamed as windows
processes like winlogon or svchost, look for multiples of these runnin then
its deducting which are rquired by windows to run and which maybe be part of
a hack pack,
you never said what os you run, but i`d bet my last coin it`s win2k

Pedro

 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by pedr » Sun, 13 Jul 2003 17:38:39


installed
windows
then
of
a/v logs to see if it found/deleted anythin?
 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by FTP Ma » Mon, 14 Jul 2003 01:36:44


There are more entries like this BTW


How does something like this actually get installed?

Does NAV check for stuff like this?

Any sofware I can run that will detect this stuff - and kill it ?


I have noticed that something called "winlogon" always comes up as
being shared when I restart the computer (which doesn't happen that
often) and I always stop sharing it immediately after a re-start.


I said above that it's NT4 (NT4 Server, with SP6).
 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by pedr » Mon, 14 Jul 2003 21:53:54


It gets installed when someone scans and finds a vulnerability in your os,
gains entry usin a reomte access tools and installs a pack including a ftp
server and some remote tools...

yes it scans for it, but nav is shit at detecting anythin like this
yes use a process viewer to see what threads any unusal services are using,
trace them and delete them, or check the links at the end of the message



keep your firewall up, if you want me to have a look at your os, drop me a
mail..
until then try these:
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/

Pedro
 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by Brian Desm » Tue, 15 Jul 2003 05:51:03

The server has been "scanned" by people looking for a place to host illegal
software. If you don't have anything in there in the way of software, you're
good. I suggest you turn anonymous acess to the FTP server off, and if you
don't use it, remove it completely & block the port on your firewall (TCP
21).

--
--Brian Desmond
Windows Server MVP
XXXX@XXXXX.COM
http://www.yqcomputer.com/

Beta #469090
 
 
 

What is: \scanned by\redstar\Parent Directory\for\-=SKBOCA=-

Post by jcochran.n » Wed, 16 Jul 2003 02:45:21


Means you've been tagged. Step one is a reformat and reinstall,
offline, and not back online until all security fixes and service
packs have been installed. Step two is closing your anonymous FTP.

Jeff
===================================
Jeff Cochran (IIS MVP)
XXXX@XXXXX.COM - Munged of Course

I don't get much time to respond to direct email,
so posts here will have a better chance of getting
an answer. Besides, everyone benefits here.

Suggested resources:
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/
http://www.yqcomputer.com/
====================================