Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Windows Systems Defaced

From: "Steve Zenone" <Zenone () cats ucsc edu>
Date: Thu, 2 May 2002 13:23:03 -0700
Hello Folks,

I have received three reports thus far of Windows systems
that have been damaged. At this point there have been
nine systems on various subnets. The commonalities are:

 [] Damage occurred around 1600 on 5/1/2002
 [] All files deleted
        -- Folders not deleted
 [] Win-popup message with "F---ing University of Rochester"
 [] If running IIS, had the index.html changed with same
    test as win-popup
      -- NOTE: not all systems running IIS
      -- If running IIS, logs dumped from memory to drive 
         in evening
        o Logs aren't showing anything useful
 [] Admins claimed that all systems were patched correctly
 [] Most were running updated and current AV

IDS didn't show anything out of the ordinary. I am currently 
running net-flows against the systems we know of thus far 
that have been damaged within the given timeframe yesterday. 
I am looking for commonalities...but haven't really seen any
yet and am starting to wonder if these systems had a payload
that was waiting to activate (obviously undetected by AV).

Have any of you seen similar activity? Any thoughts?

Thanks in advance!

Regards,
Steve


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: