Win2k Pro, IIS, I double checked the admins patches and it looks like he had everything he should have had. The system log had nothing for the time period in question, and the application log had the following items of note: 7/1/2003 4:29:29 PM AlertManager Error None 770 N/A MACHINENAME "Alert Manager could not send an alert message. Device type: ""Network Message"" Intended recipient: ""\\MACHINE"" Message: ""The file C:\Inetpub\wwwroot\svchost.exe is infected with ServU-Daemon Virus. The file was successfully deleted.(from MACHINE IP aaa.bbb.ccc.ddd user MACHINE\IUSR_MACHINE running NetShield 2000 4.5 OAS)"" " (repeated a few times) 7/1/2003 4:25:44 PM Active Server Pages Information None 3 N/A MACHINENAME Service started. The security log was blank. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Thu, 3 Jul 2003, James Tollerson wrote: > What OS have you seen this happen on? What information is the event log > showing? > > James Tollerson > > > -----Original Message----- > From: Jordan Wiens [mailto:jwiensat_private] > Sent: Wednesday, July 02, 2003 1:09 PM > To: incidentsat_private > Subject: frontpage extensions; backdoor or initial compromise? > > We had a recent compromise that our IDS did not detect, however, it did > detect subsequent backdoor activity and a few other packets afterwards > that alerted us to the compromise. Upon closer investigation of the > activity, some of the additional information logged showed some > frontpage > extensions being used in an interesting way. Anyone else seen this? > > Since we were unable to determine the initial compromise method, I'm > trying to figure out if this was purely used as a backdoor, or might > also > have been the same method as the initial compromise. > > Some additional background info; the svchost.exe is a renamed servu ftp > daemon process that was loaded into the server along with a few other, > 'normal' backdoor tools. > > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 13:01:45 PDT