[unisog] Re: Coordinated Scan
jtillots at pharmacy.purdue.edu
Thu Apr 4 14:04:10 GMT 2002
Let me also add that I think this was the result of poor user habits. 3
of the boxes that were broken into had a blank administrator password.
Also, there were logs of other attempts on campus where one box had 160
attempts to log into an account with administrator privileges.
What puzzles me is that none of the accounts involved were actually the
administrator account, but another account with administrator privilege.
Excuse my ignorance with Microsoft products, but how does a hacker find
out the usernames on a Windows box?
School of Pharmacy
On Wed, 3 Apr 2002, Terry Cavender wrote:
> You may also want to read this and note the security warning at the bottom.
> Seems like a good product.
> --On Wednesday, April 03, 2002 9:03 AM -0800 Huba Leidenfrost <huba at uidaho.edu> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > We fired off sample copies of what we saw here (as probably did many
> > of you) to SOPHOS, NAV, & F-Secure. F-Secure now has detection for
> > this and I'm sure the others will follow.
> > I haven't seen a conclusive writeup. However it would appear that
> > this is just another rendition of the global threat (GT Bot) as
> > mentioned earlier (http://bots.lockdowncorp.com/gtbot.html).
> > Although we still don't know exactly what the dropper was I'm
> > inclined to believe that the reason was simply poor user habits in
> > terms of surfing and password settings. All the systems we saw
> > hacked were 2000 Professional where the user had set their
> > administrator password to nothing.
> > H u b a
> > - -
> > HUBA LEIDENFROST Systems Security Analyst
> > huba at uidaho.edu Information Technology Services
> > University Of Idaho TEL/FAX: 208.885.2126/7539
> > http://www.its.uidaho.edu/info-security/runsafe.htm
More information about the unisog