At 10:14 AM 10/24/2001 +1000, David Ng wrote:
>Dear all,
> We have a NT network that was hit the other day, in the sense that it
> was remotely shutdown by an individual somehow. The person might have the
> passwords and also sound technical expertise in remote utilities. Is
> there a way for me to trace where the traffic was coming from that day
> and what IP address? Also, is there a way to automatically capture the
> screen if it was remotely controlled?
> Please advise, thanks in advance.
You've probably been infected by Code Red and/or Nimda. Someone probably
got tired of your machine attacking them and remotely shut you down.
As to how it was done - Look in the C:\ directory on your system. If
there's a file called "root.exe", you were hit by Code Red. That means that
anyone, anywhere was permitted to execute arbitrary commands on your web
server for several weeks at least.
There's no way for you to tell what's been done to your machine if that's
the case. Disconnect it, rebuild it, and install the patches.
-Rick
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
