[unisog] PC hack

Anderson Johnston andy at umbc.edu
Wed Apr 3 21:24:01 GMT 2002


Can you describe how you discovered that the first three machines were
compromised?  (No problem if you can't talk about it.  Just curious.)

				- Andy Johnston

On Wed, 3 Apr 2002, Jenett M. Tillotson wrote:

>
> I have some more information on our PC hack.  I thought others might be
> interested in what we've found.
>
> We had 4 machines compromised.  All were running Windows 2000 with the
> latest security patches.  All had user (non-administrator) accounts with
> administrator privileges and easy to crack passwords.  The attack happened
> on March 26th in the evening.  There were other machines on campus that
> were attacked throughout the day on the 26th, although I haven't heard of
> any other successful hacks.
>
> The payload was a Serv-U ftp server and a Ataman telnetd server.  The
> telnet server was running on port 7000.  A quick scan for port 7000 on our
> network turned up the 4th machine.  I would highly recommend that everyone
> scan for port 7000 on their networks.
>
> Also, it doesn't seem like the hacker was actively doing anything with the
> machine since the breakin.  It appears that this was a bot that first
> breaks into the machine, and then the hacker was planning on coming back
> later to do something with the machine.
>
> Please email me anymore information you have on this.  I'm trying to track
> down IP addresses for the hackers, so any information alongs those lines
> would be great.
>
> Thank you to everyone who responded about this.  I've received some great
> information from the people on this list.
>
> Jenett Tillotson
> School of Pharmacy
> Purdue University
>
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list