[unisog] PC hack

Jenett Tillotson jtillots at pharmacy.purdue.edu
Thu Apr 4 00:49:40 GMT 2002


We discovered the first two machines when the users complained they
could not login into their accounts.  After that discovery, we sent out a
message reminding people to password protect their accounts with good
passwords.  The third machine was discovered when the user found they
could not change the password on their account.

Jenett Tillotson
School of Pharmacy
Purdue University

On Wed, 3 Apr 2002, Anderson Johnston wrote:

> 
> Can you describe how you discovered that the first three machines were
> compromised?  (No problem if you can't talk about it.  Just curious.)
> 
> 				- Andy Johnston
> 
> On Wed, 3 Apr 2002, Jenett M. Tillotson wrote:
> 
> >
> > I have some more information on our PC hack.  I thought others might be
> > interested in what we've found.
> >
> > We had 4 machines compromised.  All were running Windows 2000 with the
> > latest security patches.  All had user (non-administrator) accounts with
> > administrator privileges and easy to crack passwords.  The attack happened
> > on March 26th in the evening.  There were other machines on campus that
> > were attacked throughout the day on the 26th, although I haven't heard of
> > any other successful hacks.
> >
> > The payload was a Serv-U ftp server and a Ataman telnetd server.  The
> > telnet server was running on port 7000.  A quick scan for port 7000 on our
> > network turned up the 4th machine.  I would highly recommend that everyone
> > scan for port 7000 on their networks.
> >
> > Also, it doesn't seem like the hacker was actively doing anything with the
> > machine since the breakin.  It appears that this was a bot that first
> > breaks into the machine, and then the hacker was planning on coming back
> > later to do something with the machine.
> >
> > Please email me anymore information you have on this.  I'm trying to track
> > down IP addresses for the hackers, so any information alongs those lines
> > would be great.
> >
> > Thank you to everyone who responded about this.  I've received some great
> > information from the people on this list.
> >
> > Jenett Tillotson
> > School of Pharmacy
> > Purdue University
> >
> >
> 
> ------------------------------------------------------------------------------
> ** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
> ** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
> ** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
> ** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> ------------------------------------------------------------------------------
> 
> 



More information about the unisog mailing list