[unisog] Windows 2000 break-ins

Anderson Johnston andy at umbc.edu
Thu Sep 5 23:22:48 GMT 2002


Check for TFTP traffic to off-campus IPs, as well.  That's usually how the
initial hackware gets downloaded.

					- andy

On Thu, 5 Sep 2002, Jeff Bollinger wrote:

> I think that Microsoft document is a stab in the dark.  We've been
> seeing similar attacks all summer long, and they are continuing.  The
> name of the files on compromised systems varies enormously to the point
> that you really can't predict, or even look for similar patterns.  Most
> all of these are related to having blank administrator passwords.  The
> KB article offers nothing new really.  What you should really be
> watching for are connections to IRC servers (particularly XDCC traffic),
> and monitoring the bandwidth those connections are consuming.
>
> Jeff
>
> Gary Flynn wrote:
> > A few months ago, there was a spate of break-ins that
> > involved IRC floods and backdoor trojans. I believe that
> > weak or nonexistent Administrator passwords were
> > thought to be partially at fault.
> >
> > I just ran across a Microsoft security bulletin warning
> > of a new spate of what looks to me to be similar incidents.
> > Anyone seeing anything?
> >
> > http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
> >
>
> --
> Jeff Bollinger
> University of North Carolina
> IT Security Analyst
> 105 Abernethy Hall
> mailto: jeff_bollinger at unc dot edu
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iEYEARECAAYFAjzETQsACgkQvoVlxVBmgsXunQCg1Pjc14nTjWiP8FCy+NNDK97E
> HMAAoIRhikBeM5Lm+6Iu/0h3MX6lDgiR
> =LpiV
> -----END PGP SIGNATURE-----
>

------------------------------------------------------------------------------
** Andy Johnston (andy at umbc.edu)          *            pager: 410-678-8949  **
** Manager of IT Security                 * PGP key:(afj2002) 4096/8448B056 **
** Office of Information Technology, UMBC *   4A B4 96 64 D9 B6 EF E3 21 9A **
** 410-455-2583 (v)/410-455-1065 (f)      *   46 1A 37 11 F5 6C 84 48 B0 56 **
------------------------------------------------------------------------------



More information about the unisog mailing list