A newly installed server on our network was defaced with this (the server was
installed without security knowing about it).
On checking the firewall logs for that IP, I found that it was not defaced once, but 4
times. It was only the last version that was caught by the system's owners. One of
those also added a NetBus Trojan but not the one that was finally reported to security.
If you do not have a record of exactly the commands that were used to deface your
site, you can not be sure that it did not have any thing else added. I would still do
forensic analysis of the servers to ensure that the only changes were the ones you
assume and then restore from backup (or in our case get Dell to re-install their mess
WITH patches).
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Young, Beth A.
Sent: Friday, May 25, 2001 13:58
To: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
>From personal experience here:
We had about 25 machine around the state defaced. 2 of those machines had
backdoor programs installed. All the defacements looked the same so don't
assume anything.
Beth
-----Original Message-----
From: Eric Robinson [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 12:09 PM
To: Elizabeth Zwicky; Jose Nazario
Cc: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
Have you checked around to see what analysts in various places have said
about the true nature of the attack? Have there been reports of different
versions of the attack that do more than I stated?
Eric Robinson
Network Architect
edurus, Inc.
www.edurus.com
-----Original Message-----
From: Elizabeth Zwicky [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 25, 2001 10:05 AM
To: 'Eric Robinson'; Jose Nazario
Cc: [EMAIL PROTECTED]
Subject: RE: f**k USA government f**k poizonbox
> There comes a point at which you have to ask yourself, "Was I
> just one of
> several thousand identical victims, or did some hacker want
> to get into my
> particular web server so badly that he timed his attack to
> coincide with a
> larger world-wide event as a cover?"
Or, of course, you could ask yourself "Hey, since I know that
more than one person ran these attacks, is it possible that
different people used slightly different variations of
the attack, some of which left behind back doors?"
You could answer this question "No, no hacker would ever
take advantage of a political protest to hide back doors
on machines, and every single attack in these thousands
is from exactly the same software" but on the whole, I'd
have to regard that as a strange thing to believe.
Elizabeth Zwicky
[EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
