[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] NT Remote Shutdown
From:       pquintanilha () mailbr ! com ! br
Date:       2001-07-06 22:49:01
[Download RAW message or body]

Hi there!

I've received a customer report that some NT servers on there was 
rebooting by unknown reasons, but aways on fridays near 17:00hs... 
hummm...

As adminitrator's password was very simple, I've created the following 
signature to see if some other user has remotely commanded a shutdown 
using that.

This is the sig:

alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS-
InitiateShutDown";flags:PA; content:"|49 00 6E 00 69 00 74 00 53 00 68 
00 75 00 74 00 64 00 6F 00 77 00 6E 00|";)



[]'s


Pedro Quintanilha

MailBR - O e-mail do Brasil -- http://www.mailbr.com.br
Faça já o seu. É gratuito!!!

[prev in list] [next in list] [prev in thread] [next in thread]