Good - glad to share...
These particular scripts installed the Serv-U (FTP service) on the
systems I got hit on. The process wasn't even hidden, but it was
actually red-flagged by the Medical Network guys (we're behind a
firewall here, so the saw the traffic spike).
Take care - Rob
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 10:20 AM
> To: [log in to unmask]
> Subject: Re: Recent hacking activity on campus
>
>
> Wow....
>
> That describes the activity that lead me to look for the
> virus... curious. And yes, found the backdoor.NTHack via a
> process it creates, "firedaemon.exe".
>
>
> Thanks much!!
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]]On Behalf Of Rob Neary
> Sent: Wednesday, January 22, 2003 10:15 AM
> To: [log in to unmask]
> Subject: Re: Recent hacking activity on campus
>
>
> I'm not sure which worm/virus this is, but I'd like to share
> an interesting back-door-type attack we had on some of our
> systems a couple weeks ago...
>
> For anyone who runs Microsoft SQL server, you are probably
> familiar with the fact that the "root" account (called SA),
> is installed under v7.0 and possibly 2K (don't remember) with
> no password. This poor choice on Microsoft's part also
> trickles down to their desktop product - MSDE (Microsoft
> Database Engine) - which I'm finding a lot of packages now
> come with as their desktop database solution. There are
> script-worms that are designed to exploit this, and what we
> saw was a typical FTP Dump site setup on two machines.
>
> If you install anything that uses MSDE, you might want to
> take a look at this article to change the SA password: "HOW
> TO: Verify and Change the System Administrator Password by
> Using MSDE"
> http://support.microsoft.com/default.aspx?scid=kb;en-us;322336
Safe computing :)
Rob Neary
Senior Computer Systems Specialist
Medical School Information Systems
email: [log in to unmask]
> -----Original Message-----
> From: MSU Network Administrators Group [mailto:[log in to unmask]] On
> Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 9:50 AM
> To: [log in to unmask]
> Subject: Recent hacking activity on campus
>
>
> Good morning,
>
> Hopefully this is the proper place to post this. Has anyone else
> recently (as in the past week) gotten attacked via the
> backdoor.NTHack virus? (Win2k Server). One of my students mentioned
> that another department may have gotten this.
>
> If you have *any* experience with this, I would welcome any and all
> suggestions.
>
> Thanks much,
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>
