Re: Another unicode hacked box

[Johan Augustsson <johan.augustsson () ADM GU SE>]

Jon Zobrist wrote:

> The attacker attempted to deface our web pages by uploading index.html and
> index.asp both of which include the crude english "fuck USA Government" and
> the message "fuck PoinsonB0x", it also includes a contact email address of
> sysadmincn () yahoo com cn

I have cought an attempt to hack some of our webservers by the same
guy/gang.
They do not upload any files, they use a script that just simply uses
the Unicode-hack to copy \WINNT\system32\cmd.exe to \inetpub\root.exe
and then use root.exe to echo some text into the files default.htm and
default.asp. The attack that i cought was comming from a compromised box
in the USA.


> I'm not sure if this warrants contacting the FBI or not, it appears clean up
> will be reinstalling completely.

Why bother? I don't think that the Chinese will give away any of their
citizens to the USA.


- Johan