No subject

Thu Jun 23 00:45:34 GMT 2005

The 200 answers means that the attacker got a complete listing of the
c, d and e drives of your server.

PM> I have since
PM> Deny all access to /winnt/system32 from the IUSR_machinename.

That will help, but what you should do is patch your machine. Get the
hfchk utility from microsoft, it will give you a list of the fixed
that you need to apply. I got a parser program for the output
somewhere, if you need it.

PM> I checked out
PM> TFTP and CMD and found that they both had everyone full control and that has
PM> since been changed.

That won't do you much good. Basically, that's like locking the
cupboard while leaving the front door open.

PM> I am not going to sleep well tonight, dam it someone
PM> got into my system and I'm pissed.

Well, I'm sorry for that. If it can make you feel any better, the fact
that they didn't bother to cover their tracks means that they might
not have tampered with the log files and it doesn't seems that have
been running anything on your machine. But you really should check
these log again and see if you can follow the tracks.

Anyway, the safest thing to do would be to backup any important data
on the server, put a win2k CD in the bay, format and reinstall.

Good luck,
Best regards,
 security                            mailto:security at

More information about the list mailing list