Re: Windows Systems Defaced

From: Luca Mihailescu (
Date: 05/03/02

Date: 3 May 2002 00:46:16 -0000
From: Luca Mihailescu <>

('binary' encoding is not supported, stored as-is) In-Reply-To: <>

>Received: (qmail 2589 invoked from network); 2 May 2002
21:34:49 -0000
>Received: from (HELO (
> by with SMTP; 2 May 2002
21:34:49 -0000
>Received: from
( [])
> by (Postfix) with QMQP
> id D3375A3301; Thu, 2 May 2002 15:02:37 -0600
>Mailing-List: contact;
run by ezmlm
>Precedence: bulk
>List-Id: <>
>List-Post: <>
>List-Help: <>
>List-Unsubscribe: <mailto:focus-ms->
>List-Subscribe: <mailto:focus-ms->
>Delivered-To: mailing list
>Delivered-To: moderator for
>Received: (qmail 24275 invoked from network); 2 May 2002
20:22:06 -0000
>From: "Steve Zenone" <>
>To: <>
>Subject: Windows Systems Defaced
>Date: Thu, 2 May 2002 13:24:47 -0700
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="iso-8859-1"
>Content-Transfer-Encoding: quoted-printable
>X-Priority: 3 (Normal)
>X-MSMail-Priority: Normal
>X-Mailer: Microsoft Outlook IMO, Build 9.0.2416
>X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
>Importance: Normal
>Hello Folks,
>I have received three reports thus far of Windows systems
>that have been damaged. At this point there have been
>nine systems on various subnets. The commonalities are:
> [] Damage occurred around 1600 on 5/1/2002
> [] All files deleted
> -- Folders not deleted
> [] Win-popup message with "F---ing University of
> [] If running IIS, had the index.html changed with same
> test as win-popup
> -- NOTE: not all systems running IIS
> -- If running IIS, logs dumped from memory to
> in evening
> o Logs aren't showing anything useful
> [] Admins claimed that all systems were patched correctly
> [] Most were running updated and current AV
>IDS didn't show anything out of the ordinary. I am
>running net-flows against the systems we know of thus
>that have been damaged within the given timeframe
>I am looking for commonalities...but haven't really seen
>yet and am starting to wonder if these systems had a
>that was waiting to activate (obviously undetected by AV).
>Have any of you seen similar activity? Any thoughts?
>Thanks in advance!

Is anything else running on the machines not running
IIS? terminal services,vnc,pcanywhere,etc?...i mean
remote control services.All the machines were in the same
domain?....if so,anyone has access to the pdc or bdc's?
If you don't think this was done from the console I think
some1 got your admin password (l0phtcrack,whateva).Who's
the owner of the new index.html files?
You can try installing a honeypot running syslog for
nt,sending all the logs to a machine you TRUST.Most
probably he's gonna try it again.

Hope this helps,