Security Incidents mailing list archives
RE: exploited win2k box, not quite sure how:
From: "Butler, Brandon" <Brandon.Butler () curascript com>
Date: Mon, 20 May 2002 14:36:52 -0400
Hrmm.. Need to know a few things first tho.. 1. Is everything up-to-date on the current patches 2. What services are you running on IIS (FTP, etc..) or on the server for that matter (Finger,Time, etc.) 3. Do you have any blank passwords in SQL Svr 7.. is SQL open to the outside world? 4. Any fun-loving shares open to the world? is the admin password blank? I almost wanna say some warez kiddie is using your site as a public ftp for uploading files to your system.. mabey your ftp has anonymous enabled. If thats so, then your prolly being used as a warez site. Ofcourse I could totally be wrong.. (happends once every 1500 years or so ;) ~Brandon -----Original Message----- From: John Jasen [mailto:jjasen1 () umbc edu] Sent: Friday, May 17, 2002 9:05 PM To: incidents () securityfocus com Subject: exploited win2k box, not quite sure how: Got a wierd one here. Win2k server, SP2 IIS 5.0 SQL server 7 ipswitch imail 6.x Its definitely been broken into. PC-cillian bas picked up a few nimda files, and there is a directory c:\tAGGEd with various subdirectories under it, and an unopenable file C:\TaGGed By Ca$e. I'm working on getting a disk image up for perusal, but that might take a few days. Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few other places has come up dry. -- -- John E. Jasen (jjasen1 () umbc edu) -- User Error #2361: Please insert coffee and try again. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Mike Lewinski (May 20)
- Re: exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Scott Fendley (May 20)
- Re: exploited win2k box, not quite sure how: rulerpen (May 20)
- <Possible follow-ups>
- RE: exploited win2k box, not quite sure how: McCammon, Keith (May 20)
- RE: exploited win2k box, not quite sure how: Ron Yount (May 20)
- RE: exploited win2k box, not quite sure how: Butler, Brandon (May 20)
- FW: exploited win2k box, not quite sure how: Blake Frantz (May 20)