Deb;
You might also want to check the services on that computer for dameware.exe
and related files. Often our hacked systems have firedaemon and dameware
both loaded.
What fun!
Wendy
Wendy Tate
Network Coordinator - Department of Economics
Michigan State University
101 Marshall Hall
East Lansing, MI 48824
[log in to unmask] 517.355.1816
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]] On
Behalf Of Deb McKenna
Sent: Wednesday, January 22, 2003 10:20 AM
To: [log in to unmask]
Subject: Re: Recent hacking activity on campus
Wow....
That describes the activity that lead me to look for the virus... curious.
And yes, found the backdoor.NTHack via a process it creates,
"firedaemon.exe".
Thanks much!!
Deb
Deb McKenna
Computer Systems Analyst
Student Athlete Support Services
Michigan State University
239 Smith Center
353-9161/office
432-0060/FAX
[log in to unmask]
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]]On
Behalf Of Rob Neary
Sent: Wednesday, January 22, 2003 10:15 AM
To: [log in to unmask]
Subject: Re: Recent hacking activity on campus
I'm not sure which worm/virus this is, but I'd like to share an
interesting back-door-type attack we had on some of our systems a couple
weeks ago...
For anyone who runs Microsoft SQL server, you are probably familiar with
the fact that the "root" account (called SA), is installed under v7.0
and possibly 2K (don't remember) with no password. This poor choice on
Microsoft's part also trickles down to their desktop product - MSDE
(Microsoft Database Engine) - which I'm finding a lot of packages now
come with as their desktop database solution. There are script-worms
that are designed to exploit this, and what we saw was a typical FTP
Dump site setup on two machines.
If you install anything that uses MSDE, you might want to take a look at
this article to change the SA password:
"HOW TO: Verify and Change the System Administrator Password by Using
MSDE"
http://support.microsoft.com/default.aspx?scid=kb;en-us;322336
Safe computing :)
Rob Neary
Senior Computer Systems Specialist
Medical School Information Systems
email: [log in to unmask]
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 9:50 AM
> To: [log in to unmask]
> Subject: Recent hacking activity on campus
>
>
> Good morning,
>
> Hopefully this is the proper place to post this. Has anyone
> else recently (as in the past week) gotten attacked via the
> backdoor.NTHack virus? (Win2k Server). One of my students
> mentioned that another department may have gotten this.
>
> If you have *any* experience with this, I would welcome any
> and all suggestions.
>
> Thanks much,
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>
|