Do you have an anonymous FTP server up? If so, that's probably where they got in from. Either disable anonymous FTP or limit write access. :) ----- Original Message ----- From: "John Jasen" <jjasen1at_private> To: <incidentsat_private> Sent: Friday, May 17, 2002 9:05 PM Subject: exploited win2k box, not quite sure how: > > Got a wierd one here. > > Win2k server, SP2 > IIS 5.0 > SQL server 7 > ipswitch imail 6.x > > Its definitely been broken into. PC-cillian bas picked up a few nimda > files, and there is a directory c:\tAGGEd with various subdirectories > under it, and an unopenable file C:\TaGGed By Ca$e. > > I'm working on getting a disk image up for perusal, but that might take a > few days. > > Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few > other places has come up dry. > > -- > -- John E. Jasen (jjasen1at_private) > -- User Error #2361: Please insert coffee and try again. > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 20 2002 - 19:36:36 PDT