[unisog] PC hack

Terry Cavender terry.cavender at vanderbilt.edu
Thu Mar 28 17:26:53 GMT 2002

If you watched the thread from 3/21 - 3/27 with the subject RE: Coordinated Scan I am 
pretty sure you will find what you are looking for.

Otherwise a quick check for firedaem.exe will confirm.

Jenett, if you contact Michael Hines at Purdue he should be able to help.


--On Thursday, March 28, 2002 10:41 AM -0500 David McGovern <dmmcgove at hotmail.com> wrote:

> Accounts with no passwords?  What were you thinking?  Since you can never be sure that
> a hacked machine has been fully cleaned, the only option is to fdisk and reinstall from
> a trusted backup.
>> From: Jenett Tillotson <jtillots at sparky.pharmacy.purdue.edu>
>> To: unisog at sans.org
>> Subject: [unisog] PC hack
>> Date: Thu, 28 Mar 2002 09:57:16 -0500 (EST)
>> We had 3 PC's running Windows 2000 broken into on Tuesday, March
>> 26th.  These were machines with accounts that had no passwords.  The
>> hacker created new accounts with administrative privleges and named them
>> "autodll" and "nt4backup".  The hacker started up the telnet service and
>> had set it to automatic.  A Serv-U FTP server was running and had been
>> installed in a hidden directory.  The administrative icons were missing
>> from the control panel and the event log had been cleared up to the date
>> of the attack.  These machines were brought to our attention because the
>> user was then unable to login to their account.
>> I'm curious if anyone else has seen a similar attack and what else should
>> we be looking for?
>> Jenett Tillotson
>> School of Pharmacy
>> Purdue University
> _________________________________________________________________
> Send and receive Hotmail on your mobile device: http://mobile.msn.com

Terry Cavender
Network Security Officer
Vanderbilt University
WK: 615-343-3494 Fx: 615-343-1605
terry.cavender at Vanderbilt.Edu

More information about the unisog mailing list