Re: mysterious attack on Windows 2000 servers (Help needed)
From: karl [x y] (jamescagney90210@excite.com)
Date: 09/15/02
- Next message: karl [x y]: "Re: Password Questions"
- Previous message: karl [x y]: "Re: Please help I have been hacked!!"
- In reply to: Manish Jain: "mysterious attack on Windows 2000 servers (Help needed)"
- Next in thread: Brill Pappin: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: Brill Pappin: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "karl [x y]" <jamescagney90210@excite.com> Date: Sun, 15 Sep 2002 07:55:28 -0400
"Manish Jain" <manishjn@hotmail.com> wrote in message
news:113d601c25c2a$22623b00$37ef2ecf@TKMSFTNGXA13...
> Then the same incident happened again on 22 Aug and after
> the incident they reinstalled the systems again. Then
> they hired me to find out the cause of the problem and
> fix it for future prevention. I started analyzing the
> network traffic and checked all their system
> configuration but I couldn't find any clue on this. Then
> on 29th Aug all 3 servers got the same attack again and
> all the files from the C:\ (which was the boot and the
> system drive) got deleted. I got the snapshot of the
> system and after analysis I found that the folder
> structure was intact but most of the system critical
> files got deleted. I found a batch file in c:\
> named "README.BAT". In this file a simple dos command was
> written "del *.* /r/s/q". I thought that this will be a
> worm and I started searching over the internet about
I think they really need to hire a security expert. This is not the sort of
thing where you want to learn as you go. They're going to get upset in a
hurry when the deletions keep happening.
I assume you've checked the firewall logs. You could also try creating a
readme.bat file and removing permissions for anyone to access that file
[including system and administrators].
In addition to the other poster, I might consider some or all of the tools
below:
- anti-trojan scanner such as www.pestpatrol.com [they also have a free
open port scanner]
- antivirus scanner like norton that is set to download updates daily, on
all clients and on vulnerable servers as needed
- a file change checker such as the free Languard file integrity checker
from www.gfi.com [download page is hidden under the "white papers" section
on their web site]
- a port scanner such as superscan from www.foundstone.com
- fport or vision from www.foundstone.com [must be run locally, can be
scripted]. Also check out the log analyzer tools there.
- a firewall with logging set up and that blocks outbound connections as
well as inbound [the cheapest firewalls start with Netgear or Linksys at
around $70 US]
- consider firewall software such as sygate for vulnerable clients and
servers
- run one or more vulnerability assessment scanners such as the free
Languard software from www.gfi.com
- run HFNETCHK [available from www.microsoft.com/security or
www.microsoft.com/download ] to scan computers on the network for missing
patches [requires Remote Registry service be running and accessible]
Consider reading books such as Hacking Exposed 3rd edition and maybe
Incident Response.
- Next message: karl [x y]: "Re: Password Questions"
- Previous message: karl [x y]: "Re: Please help I have been hacked!!"
- In reply to: Manish Jain: "mysterious attack on Windows 2000 servers (Help needed)"
- Next in thread: Brill Pappin: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Reply: Brill Pappin: "Re: mysterious attack on Windows 2000 servers (Help needed)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
