Security Incidents mailing list archives
Re: exploited win2k box, not quite sure how:
From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 20 May 2002 13:13:32 -0600
Its definitely been broken into. PC-cillian bas picked up a few nimda files, and there is a directory c:\tAGGEd with various subdirectories under it, and an unopenable file C:\TaGGed By Ca$e.
Sounds like a run-of-the-mill exploited anonymous FTP server to me. You got a world-writeable C: drive as ftproot? That will cause problems.... Use 'dir /x' to get MS-DOS 8.3 filenames, then you can use any other standard DOS commands to examine/remove it. Probably full of pirated software and movies. Check your FTP logs. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Mike Lewinski (May 20)
- Re: exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Scott Fendley (May 20)
- Re: exploited win2k box, not quite sure how: rulerpen (May 20)
- <Possible follow-ups>
- RE: exploited win2k box, not quite sure how: McCammon, Keith (May 20)
- RE: exploited win2k box, not quite sure how: Ron Yount (May 20)
- RE: exploited win2k box, not quite sure how: Butler, Brandon (May 20)
- FW: exploited win2k box, not quite sure how: Blake Frantz (May 20)