Hrmm.. Need to know a few things first tho.. 1. Is everything up-to-date on the current patches 2. What services are you running on IIS (FTP, etc..) or on the server for that matter (Finger,Time, etc.) 3. Do you have any blank passwords in SQL Svr 7.. is SQL open to the outside world? 4. Any fun-loving shares open to the world? is the admin password blank? I almost wanna say some warez kiddie is using your site as a public ftp for uploading files to your system.. mabey your ftp has anonymous enabled. If thats so, then your prolly being used as a warez site. Ofcourse I could totally be wrong.. (happends once every 1500 years or so ;) ~Brandon -----Original Message----- From: John Jasen [mailto:jjasen1at_private] Sent: Friday, May 17, 2002 9:05 PM To: incidentsat_private Subject: exploited win2k box, not quite sure how: Got a wierd one here. Win2k server, SP2 IIS 5.0 SQL server 7 ipswitch imail 6.x Its definitely been broken into. PC-cillian bas picked up a few nimda files, and there is a directory c:\tAGGEd with various subdirectories under it, and an unopenable file C:\TaGGed By Ca$e. I'm working on getting a disk image up for perusal, but that might take a few days. Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few other places has come up dry. -- -- John E. Jasen (jjasen1at_private) -- User Error #2361: Please insert coffee and try again. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 18:52:16 PDT