Re: exploited win2k box, not quite sure how:

[rulerpen <rulerpen () optonline net>]

Do you have an anonymous FTP server up?

If so, that's probably where they got in from.

Either disable anonymous FTP or limit write access. :)

----- Original Message -----
From: "John Jasen" <jjasen1 () umbc edu>
To: <incidents () securityfocus com>
Sent: Friday, May 17, 2002 9:05 PM
Subject: exploited win2k box, not quite sure how:


> Got a wierd one here.
>
> Win2k server, SP2
> IIS 5.0
> SQL server 7
> ipswitch imail 6.x
>
> Its definitely been broken into. PC-cillian bas picked up a few nimda
> files, and there is a directory c:\tAGGEd with various subdirectories
> under it, and an unopenable file C:\TaGGed By Ca$e.
>
> I'm working on getting a disk image up for perusal, but that might take a
> few days.
>
> Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few
> other places has come up dry.
>
> --
> -- John E. Jasen (jjasen1 () umbc edu)
> -- User Error #2361: Please insert coffee and try again.
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com