RE: MSX5.5 hacked
Furthermore, if the brown stuff does hit the fan and valuable data is compromised because of this; the people who don't know jack about IT are going to ask the people who do know about IT what steps they took to secure their network. And its usually the guys who don't know jack about IT who know a lot about exit doors and dismissal proceedings. If you get my drift... Regards Mr Louis Joyce Data Support Analyst BT Ignite eSolutions -Original Message- From: Daniel Chenault [mailto:[EMAIL PROTECTED]] Sent: 14 March 2002 19:11 To: Exchange Discussions Subject: Re: MSX5.5 hacked As others have pointed out your IIS server got hacked; Exchange itself is probably fine but I would bet your passwords have been compromised. Back up Exchange and any data you want to keep. Flatten this box, reinstall and put the ding-dang security hotfixes on it before putting it back on the network. Then restore Exchange (the disaster recovery whitepaper will come in handy here). Change ALL your passwords. All of them. I'm not kidding at all: you don't know to what extent your enterprise has been compromised. - Original Message - From: Bravo, Liliana [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 11:34 AM Subject: MSX5.5 hacked HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
You have but one Choice, Reformat the server. There is no way to be 100% sure that you have cleaned this. I am not joking. Be sure to search for any good Warez before you reformat. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bravo, Liliana Sent: Thursday, March 14, 2002 9:35 AM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
It's not exactly fair to say that Exchange was hacked. Inetpub is part of IIS, not Exchange. -Peter -Original Message- From: Milton R. Dogg [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:01 To: Exchange Discussions Subject: RE: MSX5.5 hacked You have but one Choice, Reformat the server. There is no way to be 100% sure that you have cleaned this. I am not joking. Be sure to search for any good Warez before you reformat. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bravo, Liliana Sent: Thursday, March 14, 2002 9:35 AM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
Probably just a hacker using one of the many known IIS holes to hack your system. It's been thoroughly violated. The cmd.exe exploit (i'd bet ftp1.exe is cmd renamed) and use of nc.exe are kind of outlined in this short article http://www.eeye.com/html/Research/Papers/DS19981129.html. Good luck. -Original Message- From: Bravo, Liliana [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 12:35 PM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
nc.exe is really the win32 port of the infamous NetCat *nix program by Hobbit. This program can be used to get a remote command prompt. Most likely that is what cmd1.exe was used for. As for the third file, maybe an ftp server binary..? Have you shut down the server..? Do you log TCP/IP traffic..? If so then you could find out what is going on at the protocol level. Too bad it isn't a *nix system or you could use TCT to do some post mortem analysis.. Good Luck, ~John -Original Message- From: Bravo, Liliana [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 12:35 PM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
Your SERVER was hacked Period it needs to be reformatted. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Durkee, Peter Sent: Thursday, March 14, 2002 10:05 AM To: Exchange Discussions Subject: RE: MSX5.5 hacked It's not exactly fair to say that Exchange was hacked. Inetpub is part of IIS, not Exchange. -Peter -Original Message- From: Milton R. Dogg [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:01 To: Exchange Discussions Subject: RE: MSX5.5 hacked You have but one Choice, Reformat the server. There is no way to be 100% sure that you have cleaned this. I am not joking. Be sure to search for any good Warez before you reformat. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bravo, Liliana Sent: Thursday, March 14, 2002 9:35 AM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
RE: MSX5.5 hacked
Agreed! -Original Message- From: Milton R. Dogg [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:47 AM To: Exchange Discussions Subject: RE: MSX5.5 hacked Your SERVER was hacked Period it needs to be reformatted. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Durkee, Peter Sent: Thursday, March 14, 2002 10:05 AM To: Exchange Discussions Subject: RE: MSX5.5 hacked It's not exactly fair to say that Exchange was hacked. Inetpub is part of IIS, not Exchange. -Peter -Original Message- From: Milton R. Dogg [mailto:[EMAIL PROTECTED]] Sent: Thursday, March 14, 2002 10:01 To: Exchange Discussions Subject: RE: MSX5.5 hacked You have but one Choice, Reformat the server. There is no way to be 100% sure that you have cleaned this. I am not joking. Be sure to search for any good Warez before you reformat. Milton R Dogg Of The Dogg Foundation.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Bravo, Liliana Sent: Thursday, March 14, 2002 9:35 AM To: Exchange Discussions Subject: MSX5.5 hacked Importance: High HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] __ This message is private or privileged. If you are not the person for whom this message is intended, please delete it and notify me immediately, and please do not copy or send this message to anyone else. _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]
Re: MSX5.5 hacked
As others have pointed out your IIS server got hacked; Exchange itself is probably fine but I would bet your passwords have been compromised. Back up Exchange and any data you want to keep. Flatten this box, reinstall and put the ding-dang security hotfixes on it before putting it back on the network. Then restore Exchange (the disaster recovery whitepaper will come in handy here). Change ALL your passwords. All of them. I'm not kidding at all: you don't know to what extent your enterprise has been compromised. - Original Message - From: Bravo, Liliana [EMAIL PROTECTED] To: Exchange Discussions [EMAIL PROTECTED] Sent: Thursday, March 14, 2002 11:34 AM Subject: MSX5.5 hacked HI all MSX5.5/SP4 We have found ftp1.exe, nc.exe and cmd1.exe in c:\inetpub also nc.exe and ftp1.exe are running in memory. After reading our logfiles those files are there since Feb 24. Does anybody know what kind of hack is that and how to get red of those whitout causing any post-hack attack. Tia -er _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED] _ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin:[EMAIL PROTECTED]