A new worm spreading over open (or easily guessable) shares is traversing the net. To determine if it can compromise your boxes you may want to configure Internet Scanner to look for the following administrator passwords it tries:
Here are the steps: 1) Turn on the check guessedadminpw which is in BuiltinExploitsB. 2) Under "Common Settings/NT Logon Sessions" in the policy editor...in Password Checking Sources select "Try Passwords from "nbpw.login" file". 3) In the Internet Scanner installation directory: edit the nbpw.login file by appending the new list of passwords. One per line. 4) Again under "Common Settings/NT Logon Sessions" in "Account Lockout Protection" make sure that "Disallow Account Lockout" is NOT selected. Allow either temporary or permanent lockout can be selected instead. AVERT has a description up on http://vil.nai.com/vil/content/v_100127.htm . The list of passwords it uses follows. You may also want to turn on 'VNCDetect Virtual Network Computing server detected' - since Deloder installs VNC. Deloder passwords: 000000 00000000 111111 11111111 121212 123123 12345 123456 1234567 12345678 123456789 1234qwer 123abc 123asd 123qwe 54321 654321 88888888 abc123 Admin admin admin123 administrator alpha computer database enable foobar godblessyou ihavenopass Internet Login login mypass mypc123 oracle owner passwd Password password patrick pw123 secret server super sybase temp123 test123 ypass123 -------------------------------------------- Chris Rouland Director / X-Force Internet Security Systems, Inc. http://xforce.iss.net [EMAIL PROTECTED] _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo
