Fast question. On win2k is there an easy way of closing/blocking these or does it have to be further up the chain.
On Thu, Sep 17, 2009 at 4:33 PM, Jacob <ja...@excaliburfilms.com> wrote: > > 135 and 445 should NOT be open to the public! > > -----Original Message----- > From: b...@bradwood.com [mailto:b...@bradwood.com] > Sent: Thursday, September 17, 2009 12:47 PM > To: cf-talk > Subject: RE: malware patterns > > > Michael, a quick nMap shows the following ports are open on the server > that houseoffusion.com resolves to (64.118.74.245). > > PORT STATE SERVICE > 21/tcp open ftp > 80/tcp open http > 135/tcp open msrpc > 443/tcp open https > 445/tcp open microsoft-ds > 1025/tcp open NFS-or-IIS > 1036/tcp open unknown > 1041/tcp open unknown > 2522/tcp open unknown > 3389/tcp open ms-term-serv > 7999/tcp open unknown > > Have you accounted for each program that is listening on these ports and > can any of them closed that aren't needed? You've got terminal services > in there as well as Directory Services. I would audit the passwords on > all the windows accounts since they are the only thing keeping someone > from using these ports. > > Also, did you ever find anything in your Windows logs? Security under > Event Viewer should show you all authentication that happened prior to > the attack. > > Also, on the complete random off-chance that your vulnerability was > through a CFML file that got uploaded, taking a peek at your class files > (which would be no small task) might reveal any compiled crumbs left > behind by a rouge .cfm file that deleted itself after execution. > > If you are on SQL Server 2005, I have been able to get the SQL of > recently run queries by looking in the cached execution plans. > SELECT cached.*, > sqltext.* > FROM sys.dm_exec_cached_plans cached > CROSS APPLY sys.dm_exec_sql_text (cached.plan_handle) AS sqltext > > I know those are long shots, but the sooner you look, the more you might > be able to uncover before the tracks slowly get covered. > > I do hope you are able to find the cause for the benefit of us all. > > ~Brad > > > > -------- Original Message -------- > Subject: malware patterns > From: Michael Dinowitz <mdino...@houseoffusion.com> > Date: Thu, September 17, 2009 2:08 pm > To: cf-talk <cf-talk@houseoffusion.com> > > > The recent attack on House of Fusion resulted in some useful > information as to what you should look for. In general, all or most of > the files with the following extensions were affected: > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Want to reach the ColdFusion community with something they want? Let them know on the House of Fusion mailing lists Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:326400 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=89.70.4
