[unisog] PC hack

Mark Newman mnx at utk.edu
Thu Apr 4 14:39:44 GMT 2002


Has anyone noticed that 'w32time.exe' is/was associated with the Ataman 
telnet server (7000/tcp) on the affected machines?

Mark Newman
University of Tennessee

On Wednesday 03 April 2002 07:49 pm, Jenett Tillotson wrote:
> We discovered the first two machines when the users complained they
> could not login into their accounts.  After that discovery, we sent out a
> message reminding people to password protect their accounts with good
> passwords.  The third machine was discovered when the user found they
> could not change the password on their account.
>
> Jenett Tillotson
> School of Pharmacy
> Purdue University
>
> On Wed, 3 Apr 2002, Anderson Johnston wrote:
> > Can you describe how you discovered that the first three machines were
> > compromised?  (No problem if you can't talk about it.  Just curious.)
> >
> > 				- Andy Johnston
> >
> > On Wed, 3 Apr 2002, Jenett M. Tillotson wrote:
> > > I have some more information on our PC hack.  I thought others might be
> > > interested in what we've found.
> > >
> > > We had 4 machines compromised.  All were running Windows 2000 with the
> > > latest security patches.  All had user (non-administrator) accounts
> > > with administrator privileges and easy to crack passwords.  The attack
> > > happened on March 26th in the evening.  There were other machines on
> > > campus that were attacked throughout the day on the 26th, although I
> > > haven't heard of any other successful hacks.
> > >
> > > The payload was a Serv-U ftp server and a Ataman telnetd server.  The
> > > telnet server was running on port 7000.  A quick scan for port 7000 on
> > > our network turned up the 4th machine.  I would highly recommend that
> > > everyone scan for port 7000 on their networks.
> > >
> > > Also, it doesn't seem like the hacker was actively doing anything with
> > > the machine since the breakin.  It appears that this was a bot that
> > > first breaks into the machine, and then the hacker was planning on
> > > coming back later to do something with the machine.
> > >
> > > Please email me anymore information you have on this.  I'm trying to
> > > track down IP addresses for the hackers, so any information alongs
> > > those lines would be great.
> > >
> > > Thank you to everyone who responded about this.  I've received some
> > > great information from the people on this list.
> > >
> > > Jenett Tillotson
> > > School of Pharmacy
> > > Purdue University
> >
> > -------------------------------------------------------------------------
> >----- ** Andy Johnston (andy at umbc.edu)          *            pager:
> > 410-678-8949  ** ** Manager of IT Security                 * PGP
> > key:(afj2002) 4096/8448B056 ** ** Office of Information Technology, UMBC
> > *   4A B4 96 64 D9 B6 EF E3 21 9A ** ** 410-455-2583 (v)/410-455-1065 (f)
> >      *   46 1A 37 11 F5 6C 84 48 B0 56 **
> > -------------------------------------------------------------------------
> >-----



More information about the unisog mailing list