RE: OWA and attack by Chinese?!?
It didn't also happen to say Welcome to http:// www.worm.com, did it? Sounds like Code Red. Read this: http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html John J. Steniger -Original Message- From: Orin Rehorst [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:49 AM To: Exchange Discussions Subject: OWA and attack by Chinese?!? Running Exchange 5.5 on Win2K server, latest service packs. Users over weekend accessed using OWA. Got message at sign on page has been hacked by Chinese. After that page wouldn't come up. Problem cleared when we rebooted server. Please advise. TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and attack by Chinese?!?
PS read the MS white papers on securing your IIS server bill -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:51 AM To: Exchange Discussions Subject: RE: OWA and attack by Chinese?!? It didn't also happen to say Welcome to http:// www.worm.com, did it? Sounds like Code Red. Read this: http://securityresponse.symantec.com/avcenter/venc/data/codered.worm.html John J. Steniger -Original Message- From: Orin Rehorst [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:49 AM To: Exchange Discussions Subject: OWA and attack by Chinese?!? Running Exchange 5.5 on Win2K server, latest service packs. Users over weekend accessed using OWA. Got message at sign on page has been hacked by Chinese. After that page wouldn't come up. Problem cleared when we rebooted server. Please advise. TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and attack by Chinese?!?
Man! Install URLSCAN! -Original Message- From: Mellott, Bill [mailto:[EMAIL PROTECTED]] Posted At: Tuesday, December 17, 2002 7:13 AM Posted To: Exchange Conversation: OWA and attack by Chinese?!? Subject: RE: OWA and attack by Chinese?!? PS read the MS white papers on securing your IIS server bill -Original Message- From: John Steniger [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:51 AM To: Exchange Discussions Subject: RE: OWA and attack by Chinese?!? It didn't also happen to say Welcome to http:// www.worm.com, did it? Sounds like Code Red. Read this: http://securityresponse.symantec.com/avcenter/venc/data/codere d.worm.html John J. Steniger -Original Message- From: Orin Rehorst [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 11:49 AM To: Exchange Discussions Subject: OWA and attack by Chinese?!? Running Exchange 5.5 on Win2K server, latest service packs. Users over weekend accessed using OWA. Got message at sign on page has been hacked by Chinese. After that page wouldn't come up. Problem cleared when we rebooted server. Please advise. TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and attack by Chinese?!?
Deja search points to code red... http://groups.google.com/groups?q=page+has+been+hacked+by+chineseie=UTF -8oe=UTF-8hl=en -Original Message- From: Orin Rehorst [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 10:49 AM To: Exchange Discussions Subject: OWA and attack by Chinese?!? Running Exchange 5.5 on Win2K server, latest service packs. Users over weekend accessed using OWA. Got message at sign on page has been hacked by Chinese. After that page wouldn't come up. Problem cleared when we rebooted server. Please advise. TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: OWA and attack by Chinese?!?
The Hacked by Chinese is a group of hackers that sign the pages they exploit like that. Most likely they installed a backdoor on your server. Your best bet is to completely wipe out the server. Restore from a backup that can be verified that it was made before they hacked your server. Then install all the latest security patches on your system. This is why you pay attention to the MS security bulletins and CERT advisories. A nice and simple program for checking is Microsoft Baseline Security Analyzer. You can download it for free from here: http://support.microsoft.com/default.aspx?scid=KB;en-us;320454; -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Orin Rehorst Sent: Monday, December 16, 2002 8:49 AM To: Exchange Discussions Subject: OWA and attack by Chinese?!? Running Exchange 5.5 on Win2K server, latest service packs. Users over weekend accessed using OWA. Got message at sign on page has been hacked by Chinese. After that page wouldn't come up. Problem cleared when we rebooted server. Please advise. TIA Regards, Orin Orin Rehorst Port of Houston Authority (Largest U.S. port in foreign tonnage) e-mail: [EMAIL PROTECTED] Phone: (713)670-2443 Fax: (713)670-2457 TOPAS web site: www.homestead.com/topas/topas.html _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]