Re: Windows Systems Defaced

From: Stephen W. Thompson (thompsonat_private)
Date: Thu May 02 2002 - 20:00:01 PDT

Next message: Steve Zenone: "RE: Windows Systems Defaced"

Previous message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"
Maybe in reply to: Steve Zenone: "Windows Systems Defaced"
Next in thread: Steve Zenone: "RE: Windows Systems Defaced"
Reply: Steve Zenone: "RE: Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

"Steve Zenone" <Zenoneat_private> wrote:

> Have any of you seen similar activity? Any thoughts?

Yes, we had one that matches most of your details.  These
are exact matches:

>  [] Damage occurred around 1600 on 5/1/2002
BUT=>   (approx. 16:00 EDT for us)
>  [] Win-popup message with "F---ing University of Rochester"
>       -- NOTE: not all systems running IIS
>  [] Admins claimed that all systems were patched correctly
>  [] Most were running updated and current AV

I don't know about file/directory deletions - machine wouldn't
boot, so they hadn't looked at the filesystem yet.  A quick rebuild
was planned, so unlikely that drive may be examined.

Additional: NT4 SP6 (maybe not 6a; unknown security rollup hotfix);
  not running IIS; part of a domain but not a domain server; running
  SQL Server (version not available right now); a share given access
  only to an access control list of specific, domain-authenticated
  users *and* authentication to SQL Server (reportedly); passwords
  claimed to be strong; same password used on PDC and this machine.

Also noted by admin, unknown if related or if I understood correctly:
  Reports of "this IP is being used by another machine"-type messages
  for the machine in question.  (Same day? Previous day? Previous
  week?); problems with "path unknown" and "unable to find domain"
  sorts of errors for previous two weeks; passwords not working and
  then working; currently unconfirmed report of an IRC-controlled "bot"
  on same subnet.

> I have received three reports thus far of Windows systems
> that have been damaged. At this point there have been
> nine systems on various subnets.
[snip]

En paz,
Steve, security analyst
-- 
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236, WWW has PGP
thompsonat_private    URL=http://pobox.upenn.edu/~thompson/index.html
  For security matters, use securityat_private, read by InfoSec staff
  The only safe choice: Write e-mail as if it's public.  Cuz it could be.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Steve Zenone: "RE: Windows Systems Defaced"
Previous message: Cody Hatch: "Re: 'rooted' NT/2K boxen?"
Maybe in reply to: Steve Zenone: "Windows Systems Defaced"
Next in thread: Steve Zenone: "RE: Windows Systems Defaced"
Reply: Steve Zenone: "RE: Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 02 2002 - 22:22:46 PDT