Full Disclosure mailing list archives
win2k incident
From: harshul () ealcatraz com (Harshul Nayak (ealcatraz))
Date: Wed, 18 Sep 2002 09:48:41 +0530
This is a multi-part message in MIME format.
------=_NextPart_000_00F6_01C25EF8.91DAEF60
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello there ,
Has anyone come accross a worm or an incident where the files are =
getting wiped out the server runing win2k ,
We had an incident in one of the departments .
Our 3 servers been wiped out=20
=20
=D8 Domain controller (win2k server)
=D8 Proxy server / Firewall (win2k server running ISA firewall)
=D8 Mail server (win2k server running Microsoft Exchange)
the common factor in all breakins is a file called readme.bat and in =
the later incidents it's been replaced on to autoexec.bat.
we have currently patched the server and are monitoring the network with =
sniffers and IDS ....
the command used in both the batch files is del *.* /s/f/q
thanking you in anticipation ...
-regs
Harshul n.
***********************************************************************
"The shell must be cracked apart if what is in it is to come out, for
if you want the kernel you must break the shell. And therefore, if
you want to discover nature's nakedness, you must destroy its symbols,
and the farther you get in, the nearer you come to its essence. When
you come to the One that gathers all things up into itself, there your
soul must stay."
=20
-Meister Eckhart
------=_NextPart_000_00F6_01C25EF8.91DAEF60
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3D"Courier New" size=3D2>
<DIV><FONT face=3D"Courier New" size=3D2>Hello there ,</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Has anyone come accross a worm =
or an=20
incident where the files are getting wiped out the server runing=20
win2k ,</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2></FONT> </DIV>
<DIV><FONT face=3D"Courier New" size=3D2>We had an incident in one of =
the=20
departments .</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2>Our 3 servers been wiped out =
</FONT></DIV>
<DIV>
<P class=3DMsoNormal style=3D"MARGIN: 0in 0in 0pt; TEXT-ALIGN: =
justify"><SPAN=20
style=3D"FONT-FAMILY: Arial"> <?xml:namespace prefix =3D o ns =3D=20
"urn:schemas-microsoft-com:office:office" /><o:p></o:p></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Domain controller =
(win2k=20
server)<o:p></o:p></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Proxy server / Firewall =
(win2k=20
server running ISA firewall)</SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-SIZE: 8pt; FONT-FAMILY: Wingdings; mso-bidi-font-family: =
Arial">=D8<SPAN=20
style=3D"FONT: 7pt 'Times New =
Roman'"> =20
</SPAN></SPAN><SPAN style=3D"FONT-FAMILY: Arial">Mail server (win2k =
server running=20
Microsoft Exchange)</SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" =
size=3D2> the=20
common factor in all breakins is a file called readme.bat and in the =
later=20
incidents it's been replaced on to autoexec.bat.</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>we have =
currently=20
patched the server and are monitoring the network with sniffers and IDS=20
....</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>the =
command used in=20
both the batch files is del *.* /s/f/q</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier =
New"></FONT></SPAN> </P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" =
size=3D2>thanking you in=20
anticipation ...</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New"=20
size=3D2>-regs</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier New" size=3D2>Harshul =
n.</FONT></SPAN></P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><SPAN=20
style=3D"FONT-FAMILY: Arial"><FONT face=3D"Courier =
New"></FONT></SPAN> </P>
<P class=3DMsoNormal=20
style=3D"MARGIN: 0in 0in 0pt 0.5in; TEXT-INDENT: -0.25in; TEXT-ALIGN: =
justify; tab-stops: list .5in; mso-list: l6 level1 lfo3"><FONT=20
face=3D"Courier New" size=3D2></FONT> </P></DIV></FONT></DIV>
<DIV><FONT face=3D"Courier New"=20
size=3D2>****************************************************************=
*******</FONT></DIV>
<DIV><FONT face=3D"Courier New" size=3D2>"The shell must be cracked =
apart if what is=20
in it is to come out, for<BR>if you want the kernel you must break the=20
shell. And therefore, if<BR>you want to discover nature's =
nakedness, you=20
must destroy its symbols,<BR>and the farther you get in, the nearer you =
come to=20
its essence. When<BR>you come to the One that gathers all things =
up into=20
itself, there your<BR>soul must stay."<BR> <BR> -Meister=20
Eckhart</FONT></DIV></BODY></HTML>
------=_NextPart_000_00F6_01C25EF8.91DAEF60--
Current thread:
- win2k incident Harshul Nayak (ealcatraz) (Sep 17)