[unisog] Infected windows boxes with IRC controlled trojans on them

Jenett Tillotson jtillots at pharmacy.purdue.edu
Wed Apr 10 21:37:15 GMT 2002


On our Windows 2000 machines, I'm pretty sure this was a brute force hack
on accounts with administrator privileges.  So far, all 2000 machines
we've had compromised had easy to guess passwords.  Also, I have reports
of people with logs showing multiple attempts to break into accounts on
the machines - 160 total.  So, I suspect it's just the top 160 possible
passwords (blank password, the name of the machine, the username, abc123,
etc.).

On Windows NT machines, it's a different story.  So far, all machines that
I've seen that have been compromised were not running SP6.  All machines
that have had SP6 installed were fine.  All machines that were not running
SP6 were compromised.  So, this is a security hole, but we're unsure what
hole that is.  I've heard of a security hole in NT with the null user
request allowing access to the box in some bad way, but this is just a
rumor so far.

Jenett Tillotson
School of Pharmacy
Purdue University

On Wed, 10 Apr 2002, Mark Newman wrote:

> Can anyone comment on the method of exploit?
>
> Admin shares and anonymous enumeration have been the commonality with
> machines here...but, *how* was this done?
>
> the IRC controlled machines here were apparently compromised the same way as
> machines found running w32time.exe (7000/tcp ...Ataman telnet)
>
> I already know what files were placed on the compromised machines.
>
> Would appreciate anyone's comments on the method.
>
> Thanks,
> Mark Newman
> University of Tennessee
>
>



More information about the unisog mailing list