Another unicode hacked box

[Jon Zobrist <kgb () USSR COM>]

We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by
an attack pretty much identical to this one on securityfocus.

http://www.securityfocus.com/archive/88/170407

The box was in the DMZ and completely open for internet parties.

It appears we were hit on March 6,7, and 8th, 2001...
The attacker attempted to deface our web pages by uploading index.html and
index.asp both of which include the crude english "fuck USA Government" and
the message "fuck PoinsonB0x", it also includes a contact email address of
sysadmincn () yahoo com cn

I'm not sure if this warrants contacting the FBI or not, it appears clean up
will be reinstalling completely.

Jon Zobrist
Manager Information Systems
Avaltus, Inc.
801-303-2101
jzobrist () avaltus com