PC hack

Jenett M. Tillotson jtillots at pharmacy.purdue.edu
Wed Apr 3 18:18:14 GMT 2002

I have some more information on our PC hack.  I thought others might be
interested in what we've found.

We had 4 machines compromised.  All were running Windows 2000 with the
latest security patches.  All had user (non-administrator) accounts with
administrator privileges and easy to crack passwords.  The attack happened
on March 26th in the evening.  There were other machines on campus that
were attacked throughout the day on the 26th, although I haven't heard of
any other successful hacks.

The payload was a Serv-U ftp server and a Ataman telnetd server.  The
telnet server was running on port 7000.  A quick scan for port 7000 on our
network turned up the 4th machine.  I would highly recommend that everyone
scan for port 7000 on their networks.

Also, it doesn't seem like the hacker was actively doing anything with the
machine since the breakin.  It appears that this was a bot that first
breaks into the machine, and then the hacker was planning on coming back
later to do something with the machine.

Please email me anymore information you have on this.  I'm trying to track
down IP addresses for the hackers, so any information alongs those lines
would be great.

Thank you to everyone who responded about this.  I've received some great
information from the people on this list.

Jenett Tillotson
School of Pharmacy
Purdue University

More information about the unisog mailing list