Re: Windows Systems Defaced

From: Stephen W. Thompson (thompsonat_private)
Date: Thu May 02 2002 - 20:00:01 PDT

  • Next message: Steve Zenone: "RE: Windows Systems Defaced"

    "Steve Zenone" <Zenoneat_private> wrote:
    > Have any of you seen similar activity? Any thoughts?
    Yes, we had one that matches most of your details.  These
    are exact matches:
    >  [] Damage occurred around 1600 on 5/1/2002
    BUT=>   (approx. 16:00 EDT for us)
    >  [] Win-popup message with "F---ing University of Rochester"
    >       -- NOTE: not all systems running IIS
    >  [] Admins claimed that all systems were patched correctly
    >  [] Most were running updated and current AV
    I don't know about file/directory deletions - machine wouldn't
    boot, so they hadn't looked at the filesystem yet.  A quick rebuild
    was planned, so unlikely that drive may be examined.
    Additional: NT4 SP6 (maybe not 6a; unknown security rollup hotfix);
      not running IIS; part of a domain but not a domain server; running
      SQL Server (version not available right now); a share given access
      only to an access control list of specific, domain-authenticated
      users *and* authentication to SQL Server (reportedly); passwords
      claimed to be strong; same password used on PDC and this machine.
    Also noted by admin, unknown if related or if I understood correctly:
      Reports of "this IP is being used by another machine"-type messages
      for the machine in question.  (Same day? Previous day? Previous
      week?); problems with "path unknown" and "unable to find domain"
      sorts of errors for previous two weeks; passwords not working and
      then working; currently unconfirmed report of an IRC-controlled "bot"
      on same subnet.
    > I have received three reports thus far of Windows systems
    > that have been damaged. At this point there have been
    > nine systems on various subnets.
    En paz,
    Steve, security analyst
    Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
    thompsonat_private    URL=
      For security matters, use securityat_private, read by InfoSec staff
      The only safe choice: Write e-mail as if it's public.  Cuz it could be.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 22:22:46 PDT