Security Incidents mailing list archives
RE: exploited win2k box, not quite sure how:
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Mon, 20 May 2002 14:39:24 -0400
Well, I'm going to be the first (and surely not the last) to tell you that this is not "a weird one." We can't offer much advice, as you haven't provided any logs, but you obviously have (or had) a spotty IIS install, as you've likely been hit by CodeRed, Nimda, or the like. As far as the tagged directories are concerned, that's likely due to a mis-configured FTP server (also under the blanket of IIS). You can find information on fixing and patching both of these problems on http://microsoft.com/security. Cheers Keith -----Original Message----- From: John Jasen [mailto:jjasen1 () umbc edu] Sent: Friday, May 17, 2002 9:05 PM To: incidents () securityfocus com Subject: exploited win2k box, not quite sure how: Got a wierd one here. Win2k server, SP2 IIS 5.0 SQL server 7 ipswitch imail 6.x Its definitely been broken into. PC-cillian bas picked up a few nimda files, and there is a directory c:\tAGGEd with various subdirectories under it, and an unopenable file C:\TaGGed By Ca$e. I'm working on getting a disk image up for perusal, but that might take a few days. Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few other places has come up dry. -- -- John E. Jasen (jjasen1 () umbc edu) -- User Error #2361: Please insert coffee and try again. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Mike Lewinski (May 20)
- Re: exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Scott Fendley (May 20)
- Re: exploited win2k box, not quite sure how: rulerpen (May 20)
- <Possible follow-ups>
- RE: exploited win2k box, not quite sure how: McCammon, Keith (May 20)
- RE: exploited win2k box, not quite sure how: Ron Yount (May 20)
- RE: exploited win2k box, not quite sure how: Butler, Brandon (May 20)
- FW: exploited win2k box, not quite sure how: Blake Frantz (May 20)