Good - glad to share... These particular scripts installed the Serv-U (FTP service) on the systems I got hit on. The process wasn't even hidden, but it was actually red-flagged by the Medical Network guys (we're behind a firewall here, so the saw the traffic spike). Take care - Rob > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]] On Behalf Of Deb McKenna > Sent: Wednesday, January 22, 2003 10:20 AM > To: [log in to unmask] > Subject: Re: Recent hacking activity on campus > > > Wow.... > > That describes the activity that lead me to look for the > virus... curious. And yes, found the backdoor.NTHack via a > process it creates, "firedaemon.exe". > > > Thanks much!! > > Deb > > Deb McKenna > Computer Systems Analyst > Student Athlete Support Services > Michigan State University > 239 Smith Center > 353-9161/office > 432-0060/FAX > > [log in to unmask] > > -----Original Message----- > From: MSU Network Administrators Group > [mailto:[log in to unmask]]On Behalf Of Rob Neary > Sent: Wednesday, January 22, 2003 10:15 AM > To: [log in to unmask] > Subject: Re: Recent hacking activity on campus > > > I'm not sure which worm/virus this is, but I'd like to share > an interesting back-door-type attack we had on some of our > systems a couple weeks ago... > > For anyone who runs Microsoft SQL server, you are probably > familiar with the fact that the "root" account (called SA), > is installed under v7.0 and possibly 2K (don't remember) with > no password. This poor choice on Microsoft's part also > trickles down to their desktop product - MSDE (Microsoft > Database Engine) - which I'm finding a lot of packages now > come with as their desktop database solution. There are > script-worms that are designed to exploit this, and what we > saw was a typical FTP Dump site setup on two machines. > > If you install anything that uses MSDE, you might want to > take a look at this article to change the SA password: "HOW > TO: Verify and Change the System Administrator Password by > Using MSDE" > http://support.microsoft.com/default.aspx?scid=kb;en-us;322336 Safe computing :) Rob Neary Senior Computer Systems Specialist Medical School Information Systems email: [log in to unmask] > -----Original Message----- > From: MSU Network Administrators Group [mailto:[log in to unmask]] On > Behalf Of Deb McKenna > Sent: Wednesday, January 22, 2003 9:50 AM > To: [log in to unmask] > Subject: Recent hacking activity on campus > > > Good morning, > > Hopefully this is the proper place to post this. Has anyone else > recently (as in the past week) gotten attacked via the > backdoor.NTHack virus? (Win2k Server). One of my students mentioned > that another department may have gotten this. > > If you have *any* experience with this, I would welcome any and all > suggestions. > > Thanks much, > > Deb > > Deb McKenna > Computer Systems Analyst > Student Athlete Support Services > Michigan State University > 239 Smith Center > 353-9161/office > 432-0060/FAX > > [log in to unmask] >