On Tue, 8 May 2001 22:31:53 -0600, Jon Zobrist wrote: >We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by >an attack pretty much identical to this one on securityfocus. > >http://www.securityfocus.com/archive/88/170407 That is the BackGate kit. >The box was in the DMZ and completely open for internet parties. BackGate provides a platform for launching attacks internally and externally using its Wingate component. >It appears we were hit on March 6,7, and 8th, 2001... >The attacker attempted to deface our web pages by uploading index.html and >index.asp both of which include the crude english "f*ck USA Government" and >the message "f*ck PoinsonB0x", it also includes a contact email address of >sysadmincnat_private > >I'm not sure if this warrants contacting the FBI or not, it appears clean up >will be reinstalling completely. If the box has been hosting BackGate for a month perhaps the logs have info you or LE can use. There is an analysis of BackGate with some recovery options including viewing the "hidden logs" here http://www.incidents.org/react/unicode.php Matt 2001-05-09 ____________________________________________________________________ Get free email and a permanent address at http://www.amexmail.com/?A=1
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 23:52:57 PDT