[Dshield] RE: CA eTrust TARGET Advisory - Monitoring New"Attack"Activity
GuyBarnum at Armscole.com
Thu Oct 2 15:56:07 GMT 2003
A few weeks ago our win2k servers internal DNS services were taken over/corrupted - completely shut down. I worked for a couple hours with a Microsoft technician to get everything up and working again and they weren't able to determine, or weren't telling, what may have been done to the system. A low-end netgear switch was brought down at the same time and was not able to be brought back up again after working on it for some time with one of their technicians, it was replaced by netgear at no cost.
Does it sound like this could be related to the Cert, Suspicious Network Activity warning?
More importantly please let me know if you have any suggestions or ideas on what type of logging may have caught the 'suspected' intrusion. I am new at server security specifically and I'm finding it slow going getting the correct logging set up and even slower to determine anything useful from said logs.
Example of frustration: from our previous NT server I have months worth of IIS logs clearly showing repeated and obvious intrusions. I was completely blown off as none of the ISP's I contacted would accept the IIS log as proof though it even shows the tools which were run to break in.
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Kenton Smith
Sent: Wednesday, October 01, 2003 2:45 PM
To: list at dshield.org
Subject: [Dshield] CA eTrust TARGET Advisory - Monitoring New
Virus Information CenterSecurity Advisory:
Suspicious Network Activity
Computer Associates (CA) eTrust Threat Analysis and Response Global
Emergency Team (TARGET) is currently tracking and researching a new
suspicious network activity that has received some attention on NTBugTraq.
This suspicious activity involves involuntary changes to the DNS server
settings on Windows 2000 and XP (not an exhaustive list).
More information about the list