Subj : Bugbear.A virus notes
To   : Mike Ruskai
From : Mike Luther
Date : Mon Oct 14 2002 09:42 am

But in this case, Mike ..

 MR> The GUEST account has no access to any shares in OS/2 
 MR> unless you explicitly 
 MR> grant it access.  In other words, there's no 
 MR> vulnerability unless you take 
 MR> specific actions to create one.

I used GUEST ... with a password.  It was used for planned access, but 
passworded.  In theory, it shouldn't have been compromiseable but somehow was.  
I only got two passes at this to research.  The first one was complete 
surprise.  The second one I missed just the very start of the attack with the 
trace, so we didn't learn exactly what the first few packets were like,

It would have been nice to know exactly where the hole was.  But with time so 
fleeting and no spare equipment to set up a 'pot', I opted to just get rid of 
Netbios over TCP/IP that wasn't needed on the box at that point.

If you have any theory on how this might have taken place passworded, I'd like 
to know your thoughts.  Several others spent a good period of research time 
looking at the packet trace and so on.  Far more informed that I'll ever be at 
networking.  They came away puzzled as well in that there appeared to be no PW 
crack run or whatever associated with the incidents.

One other part of the puzzle might be useful.  In this case the passworded 
GUEST account had been used prior to the attack(s).  I'm not sure about what 
the status of the connection being active at these starting point, whether the 
share was actually in use or not.


--> Sleep well; OS/2's still awake! ;)

Mike @ 1:117/3001

--- Maximus/2 3.01
 * Origin: Ziplog Public Port (1:117/3001)

.