RE: exploited win2k box, not quite sure how:
From: Butler, Brandon (Brandon.Butler@curascript.com)Date: 05/20/02
- Previous message: Ron Yount: "RE: exploited win2k box, not quite sure how:"
- Maybe in reply to: John Jasen: "exploited win2k box, not quite sure how:"
- Next in thread: John Jasen: "Re: exploited win2k box, not quite sure how:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Butler, Brandon" <Brandon.Butler@curascript.com> To: 'John Jasen' <jjasen1@umbc.edu>, incidents@securityfocus.com Date: Mon, 20 May 2002 14:36:52 -0400
Hrmm.. Need to know a few things first tho..
1. Is everything up-to-date on the current patches
2. What services are you running on IIS (FTP, etc..) or on the server for
that matter (Finger,Time, etc.)
3. Do you have any blank passwords in SQL Svr 7.. is SQL open to the outside
world?
4. Any fun-loving shares open to the world? is the admin password blank?
I almost wanna say some warez kiddie is using your site as a public ftp for
uploading files to your system.. mabey your ftp has anonymous enabled. If
thats so, then your prolly being used as a warez site.
Ofcourse I could totally be wrong.. (happends once every 1500 years or so ;)
~Brandon
-----Original Message-----
From: John Jasen [mailto:jjasen1@umbc.edu]
Sent: Friday, May 17, 2002 9:05 PM
To: incidents@securityfocus.com
Subject: exploited win2k box, not quite sure how:
Got a wierd one here.
Win2k server, SP2
IIS 5.0
SQL server 7
ipswitch imail 6.x
Its definitely been broken into. PC-cillian bas picked up a few nimda
files, and there is a directory c:\tAGGEd with various subdirectories
under it, and an unopenable file C:\TaGGed By Ca$e.
I'm working on getting a disk image up for perusal, but that might take a
few days.
Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few
other places has come up dry.
-- -- John E. Jasen (jjasen1@umbc.edu) -- User Error #2361: Please insert coffee and try again.---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Ron Yount: "RE: exploited win2k box, not quite sure how:"
- Maybe in reply to: John Jasen: "exploited win2k box, not quite sure how:"
- Next in thread: John Jasen: "Re: exploited win2k box, not quite sure how:"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
