Jesse Howard

________________

Information Systems

Michigan State University Press
[log in to unmask]

msupress.msu.edu

My apologies... obviously, that should have gone to just Deb, not the list.  My sincere apologies to the list members.  Obviously I haven't had enough coffee today.

-/John Resotko

>>> [log in to unmask] 01/22/03 10:48AM >>>

At that, of course, explains why you haven't been answering email and voicemail messages, eh?  (grin) Just kidding!  Actually, if you haven't already found this, check out

http://www.sans.org

for some great white papers about common exploits, and information about the top vulnerabilities on NT/Win2k servers that can be easily fixed/patched.  I spent a lot of time at this site when I admisistered the NT servers at AHDL.   Also check out:

http://www.ntbugtraq.com/

which has become something of the industry standard for discussion and fixes on exploits and bugs in WinNT/2K/XP.  Welcome to the wonderful world of Microsoft System Admin.  Makes me glad I'm working in a pure Netware shop now.

So, you in for lunch on Friday?  Got any plans for today?

-/John

>>> [log in to unmask] 01/22/03 10:20AM >>>
Wow....

That describes the activity that lead me to look for the virus... curious.
And yes, found the backdoor.NTHack via a process it creates,
"firedaemon.exe".


Thanks much!!

Deb

Deb McKenna
Computer Systems Analyst
Student Athlete Support Services
Michigan State University
239 Smith Center
353-9161/office
432-0060/FAX

[log in to unmask]

-----Original Message-----
From: MSU Network Administrators Group [mailto:[log in to unmask]]On
Behalf Of Rob Neary
Sent: Wednesday, January 22, 2003 10:15 AM
To: [log in to unmask]
Subject: Re: Recent hacking activity on campus


I'm not sure which worm/virus this is, but I'd like to share an
interesting back-door-type attack we had on some of our systems a couple
weeks ago...

For anyone who runs Microsoft SQL server, you are probably familiar with
the fact that the "root" account (called SA), is installed under v7.0
and possibly 2K (don't remember) with no password.  This poor choice on
Microsoft's part also trickles down to their desktop product - MSDE
(Microsoft Database Engine) - which I'm finding a lot of packages now
come with as their desktop database solution.  There are script-worms
that are designed to exploit this, and what we saw was a typical FTP
Dump site setup on two machines.

If you install anything that uses MSDE, you might want to take a look at
this article to change the SA password:
"HOW TO: Verify and Change the System Administrator Password by Using
MSDE"
http://support.microsoft.com/default.aspx?scid=kb;en-us;322336

Safe computing :)

     Rob Neary
     Senior Computer Systems Specialist
     Medical School Information Systems
     email: [log in to unmask]

> -----Original Message-----
> From: MSU Network Administrators Group
> [mailto:[log in to unmask]] On Behalf Of Deb McKenna
> Sent: Wednesday, January 22, 2003 9:50 AM
> To: [log in to unmask]
> Subject: Recent hacking activity on campus
>
>
> Good morning,
>
> Hopefully this is the proper place to post this.  Has anyone
> else recently (as in the past week) gotten attacked via  the
> backdoor.NTHack virus? (Win2k Server).  One of my students
> mentioned that another department may have gotten this.
>
> If you have *any* experience with this, I would welcome any
> and all suggestions.
>
> Thanks much,
>
> Deb
>
> Deb McKenna
> Computer Systems Analyst
> Student Athlete Support Services
> Michigan State University
> 239 Smith Center
> 353-9161/office
> 432-0060/FAX
>
> [log in to unmask]
>