Security Incidents mailing list archives

Re: Windows Systems Defaced

From: "Stephen W. Thompson" <thompson () pobox upenn edu>
Date: Thu, 2 May 2002 23:00:01 -0400 (EDT)

"Steve Zenone" <Zenone () cats ucsc edu> wrote:

Have any of you seen similar activity? Any thoughts?


Yes, we had one that matches most of your details.  These
are exact matches:

 [] Damage occurred around 1600 on 5/1/2002

BUT=>   (approx. 16:00 EDT for us)

 [] Win-popup message with "F---ing University of Rochester"
      -- NOTE: not all systems running IIS
 [] Admins claimed that all systems were patched correctly
 [] Most were running updated and current AV


I don't know about file/directory deletions - machine wouldn't
boot, so they hadn't looked at the filesystem yet.  A quick rebuild
was planned, so unlikely that drive may be examined.

Additional: NT4 SP6 (maybe not 6a; unknown security rollup hotfix);
  not running IIS; part of a domain but not a domain server; running
  SQL Server (version not available right now); a share given access
  only to an access control list of specific, domain-authenticated
  users *and* authentication to SQL Server (reportedly); passwords
  claimed to be strong; same password used on PDC and this machine.

Also noted by admin, unknown if related or if I understood correctly:
  Reports of "this IP is being used by another machine"-type messages
  for the machine in question.  (Same day? Previous day? Previous
  week?); problems with "path unknown" and "unable to find domain"
  sorts of errors for previous two weeks; passwords not working and
  then working; currently unconfirmed report of an IRC-controlled "bot"
  on same subnet.

I have received three reports thus far of Windows systems
that have been damaged. At this point there have been
nine systems on various subnets.

[snip]

En paz,
Steve, security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompson () isc upenn edu    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use security () isc upenn edu, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Windows Systems Defaced Steve Zenone (May 02)
- <Possible follow-ups>
- Re: Windows Systems Defaced Stephen W. Thompson (May 02)
  - RE: Windows Systems Defaced Steve Zenone (May 02)
    - RE: Windows Systems Defaced H C (May 03)
    - RE: Windows Systems Defaced Brenna Primrose (May 03)
    - RE: Windows Systems Defaced Johannes B. Ullrich (May 03)
    - Windows Systems Defaced/destroyed, plus Port 3389 attacks Bukys, Liudvikas (May 13)
- RE: Windows Systems Defaced David Ashwood (May 03)
- Re: Windows Systems Defaced Alphonse MacDonald (May 14)