Re: Another unicode hacked box

[jamie rishaw <jrishaw () PLAYBOY COM>]

'Happened to one of our NT boxes, too.

  The solution is _always_ to reinstall, and keep the drive for forensics.

  I think due to the extreme volume of hacks, the FBI might not be all *too*
interested, but who knows, it may be reason for them to raise headcount =)

  The exploit you were hit with was Probably related to the Solaris sadmind
work/exploit.. which means the IP that hit you was just a victim of another
exploit and not an attacker.. makes things hard when you're trying to trace
back.

  Too bad people still have boxes on the 'net that havent been
patched in years ...



On Tue, May 08, 2001 at 10:31:53PM -0600, Jon Zobrist wrote:
> We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by
> an attack pretty much identical to this one on securityfocus.
>
> http://www.securityfocus.com/archive/88/170407
>
> The box was in the DMZ and completely open for internet parties.
>
> It appears we were hit on March 6,7, and 8th, 2001...
> The attacker attempted to deface our web pages by uploading index.html and
> index.asp both of which include the crude english "fuck USA Government" and
> the message "fuck PoinsonB0x", it also includes a contact email address of
> sysadmincn () yahoo com cn
>
> I'm not sure if this warrants contacting the FBI or not, it appears clean up
> will be reinstalling completely.
>
> Jon Zobrist
> Manager Information Systems
> Avaltus, Inc.
> 801-303-2101
> jzobrist () avaltus com

--
jamie rishaw <jrishaw () playboy com>
sr. wan/unix engineer/ninja // playboy enterprises inc.
opinions stated are mine, and are not necessarily those of the bunny.