Re: Question regarding attack
From: Fernandes, Jefferson (jfern@techboston.org)Date: 02/02/02
- Previous message: Mike Shaw: "Re: Question regarding attack"
- Maybe in reply to: gpalmer3@mindspring.com: "Question regarding attack"
- Next in thread: El Cyber d'Impacte: "RE: Question regarding attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 1 Feb 2002 22:45:32 -0500 From: "Fernandes, Jefferson" <jfern@techboston.org> To: <focus-ms@securityfocus.com>
i never heard this aproach before...It could be an in-house attack...used rcmd del *...Check your services...dameware has such utitity...
tks,
Jefferson
---------- Original Message ----------------------------------
From: <gpalmer3@mindspring.com>
Date: Fri, 01 Feb 2002 18:14:59 -0500
>
>A couple of our Windows 2000/NT machines were attacked overnight recently. A user attempting to log on to the machine reported that they entered their password, clicked enter, and the logon screen reappeared. When we rebooted the machine, we found that a large number of files, including the ntoskrnl file had been deleted, along with basically all executables in the Winnt directory, event logs, and web logs also appear to have been deleted.
>
>We haven't been able to identify any trojans as living on the machines, although, because the log files have been deleted, we're having some difficulty tracking down how the attack was executed. Does anyone recognize this as any sort of "signature" for a particular virus or worm?
>
>Thanks
>
>GP
>
>
- Previous message: Mike Shaw: "Re: Question regarding attack"
- Maybe in reply to: gpalmer3@mindspring.com: "Question regarding attack"
- Next in thread: El Cyber d'Impacte: "RE: Question regarding attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
