Windows Systems Defaced

From: Steve Zenone (Zenoneat_private)
Date: Thu May 02 2002 - 13:23:03 PDT

  • Next message: H C: "Re: 'rooted' NT/2K boxen?"

    Hello Folks,
    I have received three reports thus far of Windows systems
    that have been damaged. At this point there have been
    nine systems on various subnets. The commonalities are:
     [] Damage occurred around 1600 on 5/1/2002
     [] All files deleted
    	-- Folders not deleted
     [] Win-popup message with "F---ing University of Rochester"
     [] If running IIS, had the index.html changed with same
        test as win-popup
          -- NOTE: not all systems running IIS
          -- If running IIS, logs dumped from memory to drive 
             in evening
          	o Logs aren't showing anything useful
     [] Admins claimed that all systems were patched correctly
     [] Most were running updated and current AV
    IDS didn't show anything out of the ordinary. I am currently 
    running net-flows against the systems we know of thus far 
    that have been damaged within the given timeframe yesterday. 
    I am looking for commonalities...but haven't really seen any
    yet and am starting to wonder if these systems had a payload
    that was waiting to activate (obviously undetected by AV).
    Have any of you seen similar activity? Any thoughts?
    Thanks in advance!
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 13:57:23 PDT