Security Incidents mailing list archives
Re: exploited win2k box, not quite sure how:
From: John Jasen <jjasen1 () umbc edu>
Date: Mon, 20 May 2002 16:44:00 -0400
On Fri, 17 May 2002, John Jasen wrote:
Got a wierd one here. Win2k server, SP2 IIS 5.0 SQL server 7 ipswitch imail 6.x Its definitely been broken into. PC-cillian bas picked up a few nimda files, and there is a directory c:\tAGGEd with various subdirectories under it, and an unopenable file C:\TaGGed By Ca$e. I'm working on getting a disk image up for perusal, but that might take a few days. Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few other places has come up dry.
To further the explanation, the patch level on the OS was SP2. I've not yet poked into IIS's patch revisions, or SQL's. It's a long story, but this was a third party box that got mangled, and I got to dissect it. As for anonymous writeable ftp, I don't know. IIS had three definitions to allow ftp, one of which did not allow anonymous writes, one of which did, and one of which was user/pass restricted. Figuring out what was running has proven difficult, as before the client realised that things were far out of control, they tried fixing some things on their own. I'll probably look at it again tomorrow and see what can be ascertained. Yes, the box had a pretty trivial admin password. The client didn't change our shipped default. Yes, it had default.ida executeable. (bleh). I'm truly leaning towards it having been hit more than once. -- -- John E. Jasen (jjasen1 () umbc edu) -- User Error #2361: Please insert coffee and try again. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Mike Lewinski (May 20)
- Re: exploited win2k box, not quite sure how: John Jasen (May 20)
- Re: exploited win2k box, not quite sure how: Scott Fendley (May 20)
- Re: exploited win2k box, not quite sure how: rulerpen (May 20)
- <Possible follow-ups>
- RE: exploited win2k box, not quite sure how: McCammon, Keith (May 20)
- RE: exploited win2k box, not quite sure how: Ron Yount (May 20)
- RE: exploited win2k box, not quite sure how: Butler, Brandon (May 20)
- FW: exploited win2k box, not quite sure how: Blake Frantz (May 20)