[log in to unmask]">
Don’t
apologize. Those are two great resources. I strongly advise anyone who does
windows admin to get on the ntbugtraq list.
Jesse
Howard
________________
Information Systems
Michigan State
University Press
[log in to unmask]
-----Original Message-----
From: MSU Network Administrators
Group [mailto:[log in to unmask]] On Behalf
Of John Resotko
Sent: Wednesday, January 22, 2003
11:05 AM
To: [log in to unmask]
Subject: Re: Recent hacking
activity on campus
My apologies... obviously,
that should have gone to just Deb, not the list. My sincere apologies to
the list members. Obviously I haven't had enough coffee today.
-/John Resotko
>>> [log in to unmask] 01/22/03 10:48AM >>>
At that, of course,
explains why you haven't been answering email and voicemail messages, eh?
(grin) Just kidding! Actually, if you haven't already found this, check
out
for some great white
papers about common exploits, and information about the top vulnerabilities on
NT/Win2k servers that can be easily fixed/patched. I spent a lot of time
at this site when I admisistered the NT servers at AHDL. Also check
out:
which has become something
of the industry standard for discussion and fixes on exploits and bugs in
WinNT/2K/XP. Welcome to the wonderful world of Microsoft System Admin.
Makes me glad I'm working in a pure Netware shop now.
So, you in for lunch on
Friday? Got any plans for today?
-/John
>>> [log in to unmask] 01/22/03 10:20AM >>>
Wow....
That describes the activity that lead me to look for the virus... curious.
And yes, found the backdoor.NTHack via a process it creates,
"firedaemon.exe".
Thanks much!!
Deb
Deb McKenna
Computer Systems Analyst
Student Athlete Support Services
Michigan State University
239 Smith Center
353-9161/office
432-0060/FAX
[log in to unmask]
-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]]On
Behalf Of Rob Neary
Sent: Wednesday, January 22, 2003 10:15 AM
To: [log in to unmask]
Subject: Re: Recent hacking activity on campus
I'm not sure which worm/virus this is, but I'd like to share an
interesting back-door-type attack we had on some of our systems a couple
weeks ago...
For anyone who runs Microsoft SQL server, you are probably familiar with
the fact that the "root" account (called SA), is installed under v7.0
and possibly 2K (don't remember) with no password. This poor choice on
Microsoft's part also trickles down to their desktop product - MSDE
(Microsoft Database Engine) - which I'm finding a lot of packages now
come with as their desktop database solution. There are script-worms
that are designed to exploit this, and what we saw was a typical FTP
Dump site setup on two machines.
If you install anything that uses MSDE, you might want to take a look at
this article to change the SA password:
"HOW TO: Verify and Change the System Administrator Password by Using
MSDE"
http://support.microsoft.com/default.aspx?scid=kb;en-us;322336
Safe computing :)
Rob Neary
Senior Computer Systems Specialist
Medical School Information Systems
email: [log in to unmask]
> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]]
On Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 9:50 AM
> To: [log in to unmask]
> Subject: Recent hacking activity on campus
>
>
> Good morning,
>
> Hopefully this is the proper place to post this. Has anyone
> else recently (as in the past week) gotten attacked via the
> backdoor.NTHack virus? (Win2k Server). One of my students
> mentioned that another department may have gotten this.
>
> If you have *any* experience with this, I would welcome any
> and all suggestions.
>
> Thanks much,
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>