Security Incidents mailing list archives
Windows Systems Defaced
From: "Steve Zenone" <Zenone () cats ucsc edu>
Date: Thu, 2 May 2002 13:23:03 -0700
Hello Folks, I have received three reports thus far of Windows systems that have been damaged. At this point there have been nine systems on various subnets. The commonalities are: [] Damage occurred around 1600 on 5/1/2002 [] All files deleted -- Folders not deleted [] Win-popup message with "F---ing University of Rochester" [] If running IIS, had the index.html changed with same test as win-popup -- NOTE: not all systems running IIS -- If running IIS, logs dumped from memory to drive in evening o Logs aren't showing anything useful [] Admins claimed that all systems were patched correctly [] Most were running updated and current AV IDS didn't show anything out of the ordinary. I am currently running net-flows against the systems we know of thus far that have been damaged within the given timeframe yesterday. I am looking for commonalities...but haven't really seen any yet and am starting to wonder if these systems had a payload that was waiting to activate (obviously undetected by AV). Have any of you seen similar activity? Any thoughts? Thanks in advance! Regards, Steve ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Windows Systems Defaced Steve Zenone (May 02)
- <Possible follow-ups>
- Re: Windows Systems Defaced Stephen W. Thompson (May 02)
- RE: Windows Systems Defaced Steve Zenone (May 02)
- RE: Windows Systems Defaced H C (May 03)
- RE: Windows Systems Defaced Brenna Primrose (May 03)
- RE: Windows Systems Defaced Johannes B. Ullrich (May 03)
- Windows Systems Defaced/destroyed, plus Port 3389 attacks Bukys, Liudvikas (May 13)
- RE: Windows Systems Defaced Steve Zenone (May 02)