[unisog] PC hack
terry.cavender at vanderbilt.edu
Thu Mar 28 17:26:53 GMT 2002
If you watched the thread from 3/21 - 3/27 with the subject RE: Coordinated Scan I am
pretty sure you will find what you are looking for.
Otherwise a quick check for firedaem.exe will confirm.
Jenett, if you contact Michael Hines at Purdue he should be able to help.
--On Thursday, March 28, 2002 10:41 AM -0500 David McGovern <dmmcgove at hotmail.com> wrote:
> Accounts with no passwords? What were you thinking? Since you can never be sure that
> a hacked machine has been fully cleaned, the only option is to fdisk and reinstall from
> a trusted backup.
>> From: Jenett Tillotson <jtillots at sparky.pharmacy.purdue.edu>
>> To: unisog at sans.org
>> Subject: [unisog] PC hack
>> Date: Thu, 28 Mar 2002 09:57:16 -0500 (EST)
>> We had 3 PC's running Windows 2000 broken into on Tuesday, March
>> 26th. These were machines with accounts that had no passwords. The
>> hacker created new accounts with administrative privleges and named them
>> "autodll" and "nt4backup". The hacker started up the telnet service and
>> had set it to automatic. A Serv-U FTP server was running and had been
>> installed in a hidden directory. The administrative icons were missing
>> from the control panel and the event log had been cleared up to the date
>> of the attack. These machines were brought to our attention because the
>> user was then unable to login to their account.
>> I'm curious if anyone else has seen a similar attack and what else should
>> we be looking for?
>> Jenett Tillotson
>> School of Pharmacy
>> Purdue University
> Send and receive Hotmail on your mobile device: http://mobile.msn.com
Network Security Officer
WK: 615-343-3494 Fx: 615-343-1605
terry.cavender at Vanderbilt.Edu
More information about the unisog