Security Incidents mailing list archives

Re: exploited win2k box, not quite sure how:

From: "Mike Lewinski" <mike () rockynet com>
Date: Mon, 20 May 2002 13:13:32 -0600

Its definitely been broken into. PC-cillian bas picked up a few nimda
files, and there is a directory c:\tAGGEd with various subdirectories
under it, and an unopenable file C:\TaGGed By Ca$e.


Sounds like a run-of-the-mill exploited anonymous FTP server to me. You got
a world-writeable C: drive as ftproot? That will cause problems.... Use 'dir
/x' to get MS-DOS 8.3 filenames, then you can use any other standard DOS
commands to examine/remove it. Probably full of pirated software and movies.
Check your FTP logs.




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Mike Lewinski (May 20)
- Re: exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Scott Fendley (May 20)
- Re: exploited win2k box, not quite sure how: rulerpen (May 20)
- <Possible follow-ups>
- RE: exploited win2k box, not quite sure how: McCammon, Keith (May 20)
- RE: exploited win2k box, not quite sure how: Ron Yount (May 20)
- RE: exploited win2k box, not quite sure how: Butler, Brandon (May 20)
- FW: exploited win2k box, not quite sure how: Blake Frantz (May 20)