Re: Question regarding attack

From: David Feustel (dfeustel@mindspring.com)
Date: 02/04/02


From: "David Feustel" <dfeustel@mindspring.com>
To: <gpalmer3@mindspring.com>, <focus-ms@securityfocus.com>
Date: Mon, 4 Feb 2002 11:12:59 -0500

I recently experienced the exact same logon behavior after logging off and
immediately attempting
to log on again as administrator. For reasons I won't go into here, I
immediately rebooted the system
in safe mode and selected last known good configuration. When the system
came up I was again able
to log in as administrator. This was on Windows XP however. I run standalone
(not part of a domain)
on a cable modem.

----- Original Message -----
From: <gpalmer3@mindspring.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, February 01, 2002 6:14 PM
Subject: Question regarding attack

>
> A couple of our Windows 2000/NT machines were attacked overnight recently.
A user attempting to log on to the machine reported that they entered their
password, clicked enter, and the logon screen reappeared. When we rebooted
the machine, we found that a large number of files, including the ntoskrnl
file had been deleted, along with basically all executables in the Winnt
directory, event logs, and web logs also appear to have been deleted.
>
> We haven't been able to identify any trojans as living on the machines,
although, because the log files have been deleted, we're having some
difficulty tracking down how the attack was executed. Does anyone recognize
this as any sort of "signature" for a particular virus or worm?
>
> Thanks
>
> GP
>
>



Relevant Pages

  • Re: Is complete home security possible?
    ... >> than an administrator level account, I will an error message on FS98, ... I have a clean disk image made from Norton Ghost, ... >> and I regularly ghost my machines once a month. ... Well, I keep important files on a second hard disk in the NAT Box, ...
    (comp.security.firewalls)
  • Re: Admin Password change causes problem ?
    ... security of other network attached machines. ... > This is not a Domain, just a group of machines set up as workgroup ... how many had a login with Administrator ...
    (microsoft.public.win2000.security)
  • Re: remote shutdown
    ... Remote computer is on peer network, and I can ping the remote ... Those should work great - if you are a system administrator of the ... Two machines in a workgroup. ...
    (microsoft.public.windowsxp.work_remotely)
  • Re: Pulling hair out - and there aint much left
    ... remote services are not running or disabled on the target machines ... you have no local administrator rights (since you have not described your ... if the machines came pre-configured way back when and do not conform to ... > and am presented with a dialog for a logon. ...
    (microsoft.public.win2000.networking)
  • Re: network security suggestions needed
    ... administrator passwords should be changed immediately when there is turnover ... unrestricted administrator access to all machines using peer-to-peer ... > server at DSL company, ... > the finance department are Win2k, ...
    (microsoft.public.win2000.security)