One of my friends home computers running a plain install of Win2K and IIS5
running on a dialup ADSL line was hit by this.
Since the machine has nothing in particular on it we have not modified
removed or changed anything, it has been noticed that anonymous users have
been accessing the box and modified the ftp service. It has also been
noticed that Mcafee AV picks out the code as a trojan.
We are planning to leave it as a honeypot and see what happens.
Ad.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Eric Robinson
> Sent: 25 May 2001 14:24
> To: Devin L. Ganger
> Cc: [EMAIL PROTECTED]
> Subject: RE: f**k USA government f**k poizonbox
>
>
> Just out of curiosity, does anyone have a story to tell about a
> server that
> (1) got hit by the "fuck USA" attack, (2) was subsequently
> patched with the
> latest security updates, and (3) continued to display problems associated
> with hacker activity?
>
> --Eric
>
>
>
> -----Original Message-----
> From: Devin L. Ganger [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 1:41 PM
> To: Eric Robinson
> Cc: [EMAIL PROTECTED]
> Subject: Re: f**k USA government f**k poizonbox
>
>
> On Fri, May 25, 2001 at 09:24:00AM -0700, Eric Robinson wrote:
>
> > Members of this list who suggest that you should reformat and reinstall
> > after a hacking inicdent are only partially correct. Starting
> with a clean
> > slate is the only way to be sure you have eliminated your problem if you
> > don't already know the exact nature of the attack. In this case, we do.
> :-)
>
> No, you don't, until you've run the exhaustive forensic analysis. Until
> then, you're guessing. Encouraging people to break one of the foremost
> rules of computer security is just plain bad advice.
>
> If you are diagnosing based on symptoms, then you are putting yourself
> at the mercy of the attackers. You are gambling on their complacency.
>
> Bad move.
>
> --
> Devin L. Ganger <[EMAIL PROTECTED]>
> find / -name *base* -exec chown us:us {} \;
> su -c someone 'export UP_US=thebomb'
> for f in great justice ; do sed -e 's/zig//g' < $f ; done
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
