jtillots at sparky.pharmacy.purdue.edu
Thu Mar 28 14:57:16 GMT 2002
We had 3 PC's running Windows 2000 broken into on Tuesday, March
26th. These were machines with accounts that had no passwords. The
hacker created new accounts with administrative privleges and named them
"autodll" and "nt4backup". The hacker started up the telnet service and
had set it to automatic. A Serv-U FTP server was running and had been
installed in a hidden directory. The administrative icons were missing
from the control panel and the event log had been cleared up to the date
of the attack. These machines were brought to our attention because the
user was then unable to login to their account.
I'm curious if anyone else has seen a similar attack and what else should
we be looking for?
School of Pharmacy
More information about the unisog