Wanted to thank everyone who responded. We have since took the system out of
operation. We did a little snooping and with the help of everyone here found
the scanner and penetration tool "Grims Ping" http://grimsping.cjb.net/. It
looks like one of the individuals codename is MercWnZ aka drunkenFXP who is
a 15 yearold kid.
I have forwarded all info to the NIPC.
Thanks again!!!
Charles Morin
> -----Original Message-----
> From: Charles Morin
> Sent: Thursday, July 05, 2001 10:07 AM
> To: '[EMAIL PROTECTED]'
> Subject: Hacked@!!@!!
>
> I just discovered that someone has hacked into our webserver through FTP
> and has been using our server for storage of pornsite stuff among other
> things. Below is the first logfile that appears to be the first attempt. I
> am not sure how they got around security on the Firewall and the Server
> but there are also directories that cannot be deleted and display nofile
> info. This is a NT4 server running IIS 4.0
>
> If anyone has seen this before that can fill me in on who might have done
> this and how I can delete the directory titled NiGHtWaR I would
> definitely appreciate it.
>
> 08:24:02 172.16.2.251 [1]USER anonymous 331
> 08:24:02 172.16.2.251 [1]PASS [EMAIL PROTECTED] 230
> 08:47:11 172.16.2.251 [2]USER anonymous 331
> 08:47:11 172.16.2.251 [2]PASS [EMAIL PROTECTED] 230
> 08:47:55 172.16.2.251 [2]created Tagged 226
> 08:48:26 172.16.2.251 [2]created Tagged 226
> 08:50:21 172.16.2.251 [2]ABORT - 226
> 08:50:21 172.16.2.251 [2]sent /_vti_pvt/_vti_cnf/Tagged 426
> 08:50:44 172.16.2.251 [2]QUIT - 426
> 12:49:56 172.16.2.251 [3]USER anonymous 331
> 12:49:56 172.16.2.251 [3]PASS [EMAIL PROTECTED] 230
> 14:07:42 172.16.2.251 [4]USER anonymous 331
> 14:07:42 172.16.2.251 [4]PASS [EMAIL PROTECTED] 230
> 14:08:19 172.16.2.251 [4]sent /upload/TAGGED+.txt 550
> 14:08:21 172.16.2.251 [4]created TAGGED+.txt 226
> 14:23:01 172.16.2.251 [4]QUIT - 257
> 14:23:13 172.16.2.251 [5]USER anonymous 331
> 14:23:13 172.16.2.251 [5]PASS [EMAIL PROTECTED] 230
> 14:25:03 172.16.2.251 [5]sent
> /upload/.Tagged+RoccoBoard+Team/COM1/1/1mb.test 550
>
> Thank You,
> Charles Morin
> Director Information Technology
> New Horizons Computer Learning Centers
> [EMAIL PROTECTED]
> ph:805.496.9690
> fx:805.496.9780
>
>
>
This email and any files transmitted with it are confidential and are
intended solely for the use of the individual or entity to whom they are
addressed. This communication may contain material protected by the
attorney-client privilege. If you are not the intended recipient or the
person responsible for delivering the e-mail to the intended recipient, be
advised that you have received this e-mail in error and that any use,
dissemination, forwarding, bringing or copying of this email is strictly
prohibited. If you have received this e-mail in error; please immediately
notify New Horizons front desk by telephone at 1-805-496-9690. You will be
reimbursed for reasonable costs incurred in notifying us.
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
