[unisog] PC hack

David McGovern dmmcgove at hotmail.com
Thu Mar 28 15:41:04 GMT 2002


Accounts with no passwords?  What were you thinking?  Since you can never be 
sure that a hacked machine has been fully cleaned, the only option is to 
fdisk and reinstall from a trusted backup.

>From: Jenett Tillotson <jtillots at sparky.pharmacy.purdue.edu>
>To: unisog at sans.org
>Subject: [unisog] PC hack
>Date: Thu, 28 Mar 2002 09:57:16 -0500 (EST)
>
>
>We had 3 PC's running Windows 2000 broken into on Tuesday, March
>26th.  These were machines with accounts that had no passwords.  The
>hacker created new accounts with administrative privleges and named them
>"autodll" and "nt4backup".  The hacker started up the telnet service and
>had set it to automatic.  A Serv-U FTP server was running and had been
>installed in a hidden directory.  The administrative icons were missing
>from the control panel and the event log had been cleared up to the date
>of the attack.  These machines were brought to our attention because the
>user was then unable to login to their account.
>
>I'm curious if anyone else has seen a similar attack and what else should
>we be looking for?
>
>Jenett Tillotson
>School of Pharmacy
>Purdue University
>
>
>


_________________________________________________________________
Send and receive Hotmail on your mobile device: http://mobile.msn.com



More information about the unisog mailing list