Information Security News mailing list archives

Microsoft "solves" hacking mystery


From: InfoSec News <isn () c4i org>
Date: Tue, 10 Sep 2002 02:16:35 -0500 (CDT)

http://news.com.com/2100-1001-957159.html?tag=fd_top

By Robert Lemos 
Staff Writer, CNET News.com
September 9, 2002, 12:01 PM PT

Microsoft has put a new spin on a mysterious rash of Windows 2000
hacks.

An advisory from the software giant last week warned companies of a
number of attacks targeting servers running Windows 2000, the cause of
which had initially puzzled Microsoft.

After following a trail of evidence left behind on compromised Windows
2000 servers, the company now believes that hackers have
systematically exploited Windows 2000 servers that haven't been
properly locked down, rather than a hole in the operating system.

"Microsoft has determined that these attacks do not appear to exploit
any new product-related security vulnerabilities and do not appear to
be viral or worm-like in nature," the software giant stated in an
advisory posted late Friday. "Instead, the attacks seek to take
advantage of situations where (proper) precautions have not been
taken."

The advisory from Microsoft's Product Support Services replaced an
older one that had few details, leading it to be criticized by
security experts as too vague to be of any help.

The attacks are linked by a common set of software detritus, left
behind by an attacker to help keep control of compromised boxes. The
most recent advisory warns that "successful compromises leave a
distinctive pattern," including a modified security policy--if the
victim's computer is a domain controller--and files identified as
Backdoor.IRC.Flood.

Backdoor.IRC.Flood installs an Internet Relay Chat (IRC) client that
allows remote and unlimited access to the compromised computer.

In addition, the hacked computers contain a common set of files,
including Gg.bat, Seced.bat, Nt32.ini, Ocxdll.exe and Gates.txt. The
file Gg.bat attempts to connect to other servers as an administrator
or root user, while Seced.bat changes the security policy. Gates.txt
contains a list of numerical Internet addresses; the advisory didn't
offer details as to what the addresses may correspond.

All the compromised computers ran Microsoft's Windows 2000 operating
system.

Microsoft stressed in its advisory that while the attacks seem to have
a common thread, there wasn't any proof that they exploited a weakness
in the operating system.

"The attackers appear to have gained entry to the systems by using
weak or blank administrator passwords," the company said in the latest
advisory.

However, the software giant didn't explain why every computer attacked
happened to be a Windows 2000 server. Insecure password problems
affect all computers, not just a single version of an operating
system.

Microsoft recommends that all its customers protect their servers by
eliminating weak or blank passwords, disabling the guest account,
running up-to-date antivirus software, using firewalls to protect
internal servers and keeping current with all security patches.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.


Current thread: