Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

win2k incident -- been hacked

From: harshul () ealcatraz com (Harshul Nayak (lealcatraz))
Date: Fri, 13 Sep 2002 18:32:03 +0530
This is a multi-part message in MIME format.

------=_NextPart_000_0081_01C25B53.DB11B860
Content-Type: text/plain;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello there ,

has anyone come accross a worm or an incident where the files are =
getting wiped out the server runing win2k ,

we had a incident in one of the departments .
Our 3 servers been wiped out=20
=20

=D8        Domain controller (win2k server)

=D8        Proxy server / Firewall (win2k server running ISA firewall)

=D8        Mail server (win2k server running Microsoft Exchange)



   the common factor in all breakins is a file called readme.bat and in =
the later incidents it's been replaced on to autoexec.bat.



we have currently patched the server and are monitoring the network with =
sniffers and IDS ....

the command used in both the batch files is del *.* /s/f/q



thanking you in anticipation ...

-regs

Harsh




------=_NextPart_000_0081_01C25B53.DB11B860
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Courier New" size=3D2>Hello there ,</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>has anyone come accross a worm =
or an=20
incident where the files are getting wiped out the server runing=20
win2k&nbsp;,</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3D"Courier New" size=3D2>we had a incident in one of the =
departments=20
.</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Our 3 servers been wiped out =
</FONT></DIV>
<DIV>
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 0pt; TEXT-ALIGN: =
justify"><SPAN=20
style=3D"FONT-FAMILY: Arial">&nbsp;<?xml:namespace prefix =3D o ns =3D=20
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Domain controller =
(win2k=20
server)<o:p></o:p></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Proxy server / Firewall =
(win2k=20
server running ISA firewall)</SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Mail server (win2k =
server running=20
Microsoft Exchange)</SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN>&nbsp;</P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" =
size=3D2>&nbsp;&nbsp; the=20
common factor in all breakins is a file called readme.bat and in the =
later=20
incidents it's been replaced on to autoexec.bat.</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN>&nbsp;</P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>we have =
currently=20
patched the server and are monitoring the network with sniffers and IDS=20
....</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>the =
command used in=20
both the batch files is del *.* /s/f/q</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN>&nbsp;</P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" =
size=3D2>thanking you in=20
anticipation ...</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2>-regs</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2>Harsh</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><FONT=20
face=3D"Courier New" size=3D2></FONT>&nbsp;</P></DIV></BODY></HTML>

------=_NextPart_000_0081_01C25B53.DB11B860--
Previous By Date Next
Previous By Thread Next

Current thread: