Re: Windows Systems Defaced

From: Luca Mihailescu (luca@evolvingedge.net)
Date: 05/03/02


Date: 3 May 2002 00:46:16 -0000
From: Luca Mihailescu <luca@evolvingedge.net>
To: focus-ms@securityfocus.com


('binary' encoding is not supported, stored as-is) In-Reply-To: <IJEDLKLPHGOBGKCBLDCJKENLCFAA.Zenone@cats.ucsc.edu>

>Received: (qmail 2589 invoked from network); 2 May 2002
21:34:49 -0000
>Received: from outgoing3.securityfocus.com (HELO
outgoing.securityfocus.com) (66.38.151.27)
> by mail.securityfocus.com with SMTP; 2 May 2002
21:34:49 -0000
>Received: from lists.securityfocus.com
(lists.securityfocus.com [66.38.151.19])
> by outgoing.securityfocus.com (Postfix) with QMQP
> id D3375A3301; Thu, 2 May 2002 15:02:37 -0600
(MDT)
>Mailing-List: contact focus-ms-help@securityfocus.com;
run by ezmlm
>Precedence: bulk
>List-Id: <focus-ms.list-id.securityfocus.com>
>List-Post: <mailto:focus-ms@securityfocus.com>
>List-Help: <mailto:focus-ms-help@securityfocus.com>
>List-Unsubscribe: <mailto:focus-ms-
unsubscribe@securityfocus.com>
>List-Subscribe: <mailto:focus-ms-
subscribe@securityfocus.com>
>Delivered-To: mailing list focus-ms@securityfocus.com
>Delivered-To: moderator for focus-ms@securityfocus.com
>Received: (qmail 24275 invoked from network); 2 May 2002
20:22:06 -0000
>From: "Steve Zenone" <Zenone@cats.ucsc.edu>
>To: <focus-ms@securityfocus.com>
>Subject: Windows Systems Defaced
>Date: Thu, 2 May 2002 13:24:47 -0700
>Message-ID:
<IJEDLKLPHGOBGKCBLDCJKENLCFAA.Zenone@cats.ucsc.edu>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416
(9.0.2911.0)
>In-Reply-To:
<IJEDLKLPHGOBGKCBLDCJCENLCFAA.Zenone@cats.ucsc.edu>
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>Importance: Normal
>
>Hello Folks,
>
>I have received three reports thus far of Windows systems
>that have been damaged. At this point there have been
>nine systems on various subnets. The commonalities are:
>
> [] Damage occurred around 1600 on 5/1/2002
> [] All files deleted
> -- Folders not deleted
> [] Win-popup message with "F---ing University of
Rochester"
> [] If running IIS, had the index.html changed with same
> test as win-popup
> -- NOTE: not all systems running IIS
> -- If running IIS, logs dumped from memory to
drive=20
> in evening
> o Logs aren't showing anything useful
> [] Admins claimed that all systems were patched correctly
> [] Most were running updated and current AV
>
>IDS didn't show anything out of the ordinary. I am
currently=20
>running net-flows against the systems we know of thus
far=20
>that have been damaged within the given timeframe
yesterday.=20
>I am looking for commonalities...but haven't really seen
any
>yet and am starting to wonder if these systems had a
payload
>that was waiting to activate (obviously undetected by AV).
>
>Have any of you seen similar activity? Any thoughts?
>
>Thanks in advance!
>
>Regards,
>Steve
>
>

Is anything else running on the machines not running
IIS?..like terminal services,vnc,pcanywhere,etc?...i mean
remote control services.All the machines were in the same
domain?....if so,anyone has access to the pdc or bdc's?
If you don't think this was done from the console I think
some1 got your admin password (l0phtcrack,whateva).Who's
the owner of the new index.html files?
You can try installing a honeypot running syslog for
nt,sending all the logs to a machine you TRUST.Most
probably he's gonna try it again.

Hope this helps,
L.



Relevant Pages

  • Re: OT: my new PC rocks!!
    ... "hardware mix and match" for home users, where they could slot in any ... that with the PC's delibrately "loose" architecture then machines ... slowness of Windows software to cater for something that no-one seems ... The only advatange of Microsoft stuff; The installs tend to be less ...
    (alt.lang.asm)
  • Re: network slows down after SP2 install
    ... I have 8 other SBS machines that accepted SP2, some with a mix of machines ... server performance for file copies and loading/saving Excel documents, ... Also, please setup a test machine with Windows XP SP2 and office 2003 SP2, ... Microsoft Internet Security and Acceleration Server 2004. ...
    (microsoft.public.windows.server.sbs)
  • Performance optimization vs satisficing (was Language Oriented Programming)
    ... >machines that were too small. ... Microsoft has been a leading offender here. ... >arcane issue for server engines. ... magnitude slower, yes, I recall working on a 200mb database, trying to ...
    (comp.object)
  • Re: network slows down after SP2 install
    ... the machines updated from W2K still open and read the ... Locate the "Microsoft network server: ... Install SP2 for WIN XP and latest service pack for Office 2003 on ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)
  • Re: network slows down after SP2 install
    ... These machines cannot even run the program locally being disconnected from the server with a local copy of the database. ... Install SP2 for WIN XP and latest service pack for Office 2003 on ... Microsoft CSS Online Newsgroup Support ...
    (microsoft.public.windows.server.sbs)