RE: exploited win2k box, not quite sure how:

From: Ron Yount (rony@co.island.wa.us)
Date: 05/20/02 

From: Ron Yount <rony@co.island.wa.us>
To: John Jasen <jjasen1@umbc.edu>, incidents@securityfocus.com
Date: Mon, 20 May 2002 11:44:54 -0700

I've seen what your describing from automated ftp scanners.
Check the ftp logs to see what is there.
Kill the anonymous ftp services.

Ron

-----Original Message-----
From: John Jasen [mailto:jjasen1@umbc.edu]
Sent: Friday, May 17, 2002 6:05 PM
To: incidents@securityfocus.com
Subject: exploited win2k box, not quite sure how:

Got a wierd one here.

Win2k server, SP2
IIS 5.0
SQL server 7
ipswitch imail 6.x

Its definitely been broken into. PC-cillian bas picked up a few nimda
files, and there is a directory c:\tAGGEd with various subdirectories
under it, and an unopenable file C:\TaGGed By Ca$e.

I'm working on getting a disk image up for perusal, but that might take a
few days.

Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few
other places has come up dry. 

--
-- John E. Jasen (jjasen1@umbc.edu)
-- User Error #2361: Please insert coffee and try again.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: exploited win2k box, not quite sure how:
    ... What services are you running on IIS or on the server for ... I almost wanna say some warez kiddie is using your site as a public ftp for ... This list is provided by the SecurityFocus ARIS analyzer service. ...
    (Incidents)
  • RE: Port 1975 rogue service
    ... FTP server, it's because of the "220-" lines, where 220 is a standard ... This list is provided by the SecurityFocus ARIS analyzer service. ... For more information on this free incident handling, management ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • Re: increase in ftp scanning
    ... >Has any one else notice a huge increase in ftp scanning over the last ... >This list is provided by the SecurityFocus ARIS analyzer service. ... >For more information on this free incident handling, management ... >and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)