> (the server was installed without security knowing about it).
You have far worse problems than a defaced server!
[I *wish* you were alone in that. I worked for a while on a
network where I was *supposed* to be responsible for security, but
others could enable outside access to new servers. Hardly a week
went by that I didn't learn about a new server -- by having it turn
up in some script-kiddie's portscan....]
David Gillett
On 27 May 2001, at 0:24, Bill Royds wrote:
> A newly installed server on our network was defaced with this (the
> server was installed without security knowing about it). On
> checking the firewall logs for that IP, I found that it was not
> defaced once, but 4 times. It was only the last version that was
> caught by the system's owners. One of those also added a NetBus
> Trojan but not the one that was finally reported to security. If
> you do not have a record of exactly the commands that were used to
> deface your site, you can not be sure that it did not have any
> thing else added. I would still do forensic analysis of the
> servers to ensure that the only changes were the ones you assume
> and then restore from backup (or in our case get Dell to
> re-install their mess WITH patches).
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Young, Beth A.
> Sent: Friday, May 25, 2001 13:58
> To: [EMAIL PROTECTED]
> Subject: RE: f**k USA government f**k poizonbox
>
>
> >From personal experience here:
>
> We had about 25 machine around the state defaced. 2 of those machines had
> backdoor programs installed. All the defacements looked the same so don't
> assume anything.
>
> Beth
>
> -----Original Message-----
> From: Eric Robinson [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 12:09 PM
> To: Elizabeth Zwicky; Jose Nazario
> Cc: [EMAIL PROTECTED]
> Subject: RE: f**k USA government f**k poizonbox
>
>
> Have you checked around to see what analysts in various places have said
> about the true nature of the attack? Have there been reports of different
> versions of the attack that do more than I stated?
>
> Eric Robinson
> Network Architect
> edurus, Inc.
> www.edurus.com
>
> -----Original Message-----
> From: Elizabeth Zwicky [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 25, 2001 10:05 AM
> To: 'Eric Robinson'; Jose Nazario
> Cc: [EMAIL PROTECTED]
> Subject: RE: f**k USA government f**k poizonbox
>
>
>
> > There comes a point at which you have to ask yourself, "Was I
> > just one of
> > several thousand identical victims, or did some hacker want
> > to get into my
> > particular web server so badly that he timed his attack to
> > coincide with a
> > larger world-wide event as a cover?"
>
> Or, of course, you could ask yourself "Hey, since I know that
> more than one person ran these attacks, is it possible that
> different people used slightly different variations of
> the attack, some of which left behind back doors?"
> You could answer this question "No, no hacker would ever
> take advantage of a political protest to hide back doors
> on machines, and every single attack in these thousands
> is from exactly the same software" but on the whole, I'd
> have to regard that as a strange thing to believe.
>
> Elizabeth Zwicky
> [EMAIL PROTECTED]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
