'Happened to one of our NT boxes, too. The solution is _always_ to reinstall, and keep the drive for forensics. I think due to the extreme volume of hacks, the FBI might not be all *too* interested, but who knows, it may be reason for them to raise headcount =) The exploit you were hit with was Probably related to the Solaris sadmind work/exploit.. which means the IP that hit you was just a victim of another exploit and not an attacker.. makes things hard when you're trying to trace back. Too bad people still have boxes on the 'net that havent been patched in years ... On Tue, May 08, 2001 at 10:31:53PM -0600, Jon Zobrist wrote: > We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by > an attack pretty much identical to this one on securityfocus. > > http://www.securityfocus.com/archive/88/170407 > > The box was in the DMZ and completely open for internet parties. > > It appears we were hit on March 6,7, and 8th, 2001... > The attacker attempted to deface our web pages by uploading index.html and > index.asp both of which include the crude english "fuck USA Government" and > the message "fuck PoinsonB0x", it also includes a contact email address of > sysadmincnat_private > > I'm not sure if this warrants contacting the FBI or not, it appears clean up > will be reinstalling completely. > > Jon Zobrist > Manager Information Systems > Avaltus, Inc. > 801-303-2101 > jzobristat_private > -- jamie rishaw <jrishawat_private> sr. wan/unix engineer/ninja // playboy enterprises inc. opinions stated are mine, and are not necessarily those of the bunny.
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 19:25:18 PDT