[unisog] Windows 2000 break-ins

Allen Chang allen at rescomp.berkeley.edu
Fri Sep 6 00:55:06 GMT 2002


Well...it appears that the schools on quarter system haven't started so
they haven't been hit yet. Since we're on semester, we've practically been
getting attacks since the first day students moved in. Pretty similar to
the attacks from last semester.

@llen
Network Security Coordinator
Residential Computing
UC Berkeley

On Thu, 5 Sep 2002, Mark L. VanScoyk wrote:

> We have had a rash of attacks starting in early August.  We have had
> some machines that were hacked that we know had strong Administrator
> passwords.  The theory we have been working from is that someone with
> administrative access to one of those boxes logged into a machine that
> had a blank administrative password and the attack piggy backed on their
> credentials.  However, this is a shot in the dark as we have not been
> able to find any files that are actually a worm.
>
> In our findings it leaves the following behind:
> A blank administrator password
> Enables the guest account
> Adds guest to administrators
> Removes the user right to access the computer from the network
> Installs an IRC server (actually from our logs this may have happened at
> a later date due to the blank administrator password left behind by the
> original attack).



More information about the unisog mailing list