Re: exploited win2k box, not quite sure how:

From: Mike Lewinski (mikeat_private)
Date: Mon May 20 2002 - 12:13:32 PDT

  • Next message: McCammon, Keith: "RE: exploited win2k box, not quite sure how:"

    > Its definitely been broken into. PC-cillian bas picked up a few nimda
    > files, and there is a directory c:\tAGGEd with various subdirectories
    > under it, and an unopenable file C:\TaGGed By Ca$e.
    Sounds like a run-of-the-mill exploited anonymous FTP server to me. You got
    a world-writeable C: drive as ftproot? That will cause problems.... Use 'dir
    /x' to get MS-DOS 8.3 filenames, then you can use any other standard DOS
    commands to examine/remove it. Probably full of pirated software and movies.
    Check your FTP logs.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 20 2002 - 18:22:10 PDT