Hello Folks,
I have received three reports thus far of Windows systems
that have been damaged. At this point there have been
nine systems on various subnets. The commonalities are:
[] Damage occurred around 1600 on 5/1/2002
[] All files deleted
-- Folders not deleted
[] Win-popup message with "F---ing University of Rochester"
[] If running IIS, had the index.html changed with same
test as win-popup
-- NOTE: not all systems running IIS
-- If running IIS, logs dumped from memory to drive
in evening
o Logs aren't showing anything useful
[] Admins claimed that all systems were patched correctly
[] Most were running updated and current AV
IDS didn't show anything out of the ordinary. I am currently
running net-flows against the systems we know of thus far
that have been damaged within the given timeframe yesterday.
I am looking for commonalities...but haven't really seen any
yet and am starting to wonder if these systems had a payload
that was waiting to activate (obviously undetected by AV).
Have any of you seen similar activity? Any thoughts?
Thanks in advance!
Regards,
Steve
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu May 02 2002 - 13:57:23 PDT