Full Disclosure mailing list archives
win2k incident -- been hacked
From: harshul () ealcatraz com (Harshul Nayak (lealcatraz))
Date: Fri, 13 Sep 2002 18:32:03 +0530
This is a multi-part message in MIME format. ------=_NextPart_000_0081_01C25B53.DB11B860 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello there , has anyone come accross a worm or an incident where the files are = getting wiped out the server runing win2k , we had a incident in one of the departments . Our 3 servers been wiped out=20 =20 =D8 Domain controller (win2k server) =D8 Proxy server / Firewall (win2k server running ISA firewall) =D8 Mail server (win2k server running Microsoft Exchange) the common factor in all breakins is a file called readme.bat and in = the later incidents it's been replaced on to autoexec.bat. we have currently patched the server and are monitoring the network with = sniffers and IDS .... the command used in both the batch files is del *.* /s/f/q thanking you in anticipation ... -regs Harsh ------=_NextPart_000_0081_01C25B53.DB11B860 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; = charset=3Diso-8859-1"> <META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3D"Courier New" size=3D2>Hello there ,</FONT></DIV> <DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Courier New" size=3D2>has anyone come accross a worm = or an=20 incident where the files are getting wiped out the server runing=20 win2k ,</FONT></DIV> <DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV> <DIV><FONT face=3D"Courier New" size=3D2>we had a incident in one of the = departments=20 .</FONT></DIV> <DIV><FONT face=3D"Courier New" size=3D2>Our 3 servers been wiped out = </FONT></DIV> <DIV> <P class=3DMsoNormal style=3D"MARGIN: 0in 0in 0pt; TEXT-ALIGN: = justify"><SPAN=20 style=3D"FONT-FAMILY: Arial"> <?xml:namespace prefix =3D o ns =3D=20 "urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: = Arial">=D8<SPAN=20 style=3D"FONT: 7pt 'Times New = Roman'"> =20 </SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Domain controller = (win2k=20 server)<o:p></o:p></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: = Arial">=D8<SPAN=20 style=3D"FONT: 7pt 'Times New = Roman'"> =20 </SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Proxy server / Firewall = (win2k=20 server running ISA firewall)</SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: = Arial">=D8<SPAN=20 style=3D"FONT: 7pt 'Times New = Roman'"> =20 </SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Mail server (win2k = server running=20 Microsoft Exchange)</SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20 size=3D2></FONT></SPAN> </P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" = size=3D2> the=20 common factor in all breakins is a file called readme.bat and in the = later=20 incidents it's been replaced on to autoexec.bat.</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20 size=3D2></FONT></SPAN> </P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>we have = currently=20 patched the server and are monitoring the network with sniffers and IDS=20 ....</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>the = command used in=20 both the batch files is del *.* /s/f/q</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20 size=3D2></FONT></SPAN> </P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" = size=3D2>thanking you in=20 anticipation ...</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20 size=3D2>-regs</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20 style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20 size=3D2>Harsh</FONT></SPAN></P> <P class=3DMsoNormal=20 style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: = justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><FONT=20 face=3D"Courier New" size=3D2></FONT> </P></DIV></BODY></HTML> ------=_NextPart_000_0081_01C25B53.DB11B860--
Current thread:
- win2k incident -- been hacked Harshul Nayak (lealcatraz) (Sep 13)