Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: exploited win2k box, not quite sure how:

From: Ron Yount <rony () co island wa us>
Date: Mon, 20 May 2002 11:44:54 -0700
I've seen what your describing from automated ftp scanners.  
Check the ftp logs to see what is there. 
Kill the anonymous ftp services.

Ron

-----Original Message-----
From: John Jasen [mailto:jjasen1 () umbc edu]
Sent: Friday, May 17, 2002 6:05 PM
To: incidents () securityfocus com
Subject: exploited win2k box, not quite sure how:



Got a wierd one here.

Win2k server, SP2
IIS 5.0
SQL server 7
ipswitch imail 6.x

Its definitely been broken into. PC-cillian bas picked up a few nimda
files, and there is a directory c:\tAGGEd with various subdirectories
under it, and an unopenable file C:\TaGGed By Ca$e.

I'm working on getting a disk image up for perusal, but that might take a
few days.

Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few
other places has come up dry.

--
-- John E. Jasen (jjasen1 () umbc edu)
-- User Error #2361: Please insert coffee and try again.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: