Security Incidents mailing list archives
Re: Windows Systems Defaced
From: "Stephen W. Thompson" <thompson () pobox upenn edu>
Date: Thu, 2 May 2002 23:00:01 -0400 (EDT)
"Steve Zenone" <Zenone () cats ucsc edu> wrote:
Have any of you seen similar activity? Any thoughts?
Yes, we had one that matches most of your details. These are exact matches:
[] Damage occurred around 1600 on 5/1/2002
BUT=> (approx. 16:00 EDT for us)
[] Win-popup message with "F---ing University of Rochester" -- NOTE: not all systems running IIS [] Admins claimed that all systems were patched correctly [] Most were running updated and current AV
I don't know about file/directory deletions - machine wouldn't boot, so they hadn't looked at the filesystem yet. A quick rebuild was planned, so unlikely that drive may be examined. Additional: NT4 SP6 (maybe not 6a; unknown security rollup hotfix); not running IIS; part of a domain but not a domain server; running SQL Server (version not available right now); a share given access only to an access control list of specific, domain-authenticated users *and* authentication to SQL Server (reportedly); passwords claimed to be strong; same password used on PDC and this machine. Also noted by admin, unknown if related or if I understood correctly: Reports of "this IP is being used by another machine"-type messages for the machine in question. (Same day? Previous day? Previous week?); problems with "path unknown" and "unable to find domain" sorts of errors for previous two weeks; passwords not working and then working; currently unconfirmed report of an IRC-controlled "bot" on same subnet.
I have received three reports thus far of Windows systems that have been damaged. At this point there have been nine systems on various subnets.
[snip] En paz, Steve, security analyst -- Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP thompson () isc upenn edu URL=http://pobox.upenn.edu/~thompson/index.html For security matters, use security () isc upenn edu, read by InfoSec staff The only safe choice: Write e-mail as if it's public. Cuz it could be. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Windows Systems Defaced Steve Zenone (May 02)
- <Possible follow-ups>
- Re: Windows Systems Defaced Stephen W. Thompson (May 02)
- RE: Windows Systems Defaced Steve Zenone (May 02)
- RE: Windows Systems Defaced H C (May 03)
- RE: Windows Systems Defaced Brenna Primrose (May 03)
- RE: Windows Systems Defaced Johannes B. Ullrich (May 03)
- Windows Systems Defaced/destroyed, plus Port 3389 attacks Bukys, Liudvikas (May 13)
- RE: Windows Systems Defaced Steve Zenone (May 02)