[unisog] Windows 2000 break-ins

Arnold, Jamie harnold at binghamton.edu
Fri Sep 6 02:29:59 GMT 2002

Same thing here...we're seeing the same activity as in the spring.  Blocking
tftp and IRC seems to help.


-----Original Message-----
From: Allen Chang [mailto:allen at rescomp.berkeley.edu] 
Sent: Thursday, September 05, 2002 8:55 PM
To: Mark L. VanScoyk
Cc: unisog at sans.org
Subject: RE: [unisog] Windows 2000 break-ins

Well...it appears that the schools on quarter system haven't started so they
haven't been hit yet. Since we're on semester, we've practically been
getting attacks since the first day students moved in. Pretty similar to the
attacks from last semester.

Network Security Coordinator
Residential Computing
UC Berkeley

On Thu, 5 Sep 2002, Mark L. VanScoyk wrote:

> We have had a rash of attacks starting in early August.  We have had 
> some machines that were hacked that we know had strong Administrator 
> passwords.  The theory we have been working from is that someone with 
> administrative access to one of those boxes logged into a machine that 
> had a blank administrative password and the attack piggy backed on 
> their credentials.  However, this is a shot in the dark as we have not 
> been able to find any files that are actually a worm.
> In our findings it leaves the following behind:
> A blank administrator password
> Enables the guest account
> Adds guest to administrators
> Removes the user right to access the computer from the network 
> Installs an IRC server (actually from our logs this may have happened 
> at a later date due to the blank administrator password left behind by 
> the original attack).

More information about the unisog mailing list