[AccessD] OT: Been hacked

Jim Lawrence accessd at shaw.ca
Sun Oct 30 20:18:13 CST 2005


OT:

I would normally not post this item here but I am not sure where I would
find a more experience group.

It appears that one of my servers has been hacked. :-(

The first indication is, and it may be unrelated, is that one of my FTP
directories that I have used for unloading and downloading files into has a
'Locked' directory in it. It is real simple to do this; and do not try it!

make a directory like:	 \temp\o0oKARo0o\here\
and then rename like this:  \com1*\o0oKaro0o\here\
(*=space)

Does anyone here know how to get rid of the thing?

The second indication is that a subnet, even though that all the computers
hung off it have been disconnected; there was a lot of activity on that IP
address logged. The intruder was tracked as far as an ISP in the states but
could be followed no further. According to his 'Webmin', Chinese is his
first language and his OS of choice is LINUX. No more information could be
gathered.

He has not been able to access the administration account as there were a
number of failed attempts logged while trying to change passwords. All the
account passwords change regularly and are of a sufficient complexity (over
6 characters, mixture of upper and lower case, mixture of letters and
numbers and must have at least one special character.) but still have no
idea how access was attained.

The computer is an advanced Windows2000 server, with latest updates, even
though all mail goes through it does not have the capacity to send mail
directly other then through PHP and ASP, has a MS SQL server but its ports
are closed. It does have IIS running but none of the web sites are writable.


Any help would be greatly appreciated.
MTIA
Jim




More information about the AccessD mailing list