carerros
04-20-2002, 12:03 AM
Hey all,
Recently someone has hacked about 30 W2K Servers (someone running as DNS, DHCP, Exchange 2000) and workstations (professonal). Some of these are running in Native Mode some in Mixed and some are just work alone workstations. All are connected to the Internet through a campus wide WAN (without any firewall).
It took us about three weeks to discover this hack becuase it does nothing over apparent. It stops your Time service by droping a file called "W32Time.srv" and having it started when you reboot.
One reason that this hack wasn't very apperent is that Norton doesn't catch it and McAfee is only running on a small number of these boxes.
The problem we have is that we don't know what was all infected. As far as we have been able to tell is that this file was dropped in. A few registery entries were changed (one dealing with stoping all default shares from repearing on there own), and that is all that we have noticed. Also, all event logs were wiped clean.
All the boxes that were hit have been upto date on service packs and hot fixes, but again, this was before the latest 10 IIS fix patch that just came out. If anyone knows anything about who or what might have did this, or more to the point if I should expect anything else to appear, it would be nice.
McAfee has marked the trojen as this
Backdoor-Wu.svr but has very little to say about it.
Well, I thought I would ask.
Recently someone has hacked about 30 W2K Servers (someone running as DNS, DHCP, Exchange 2000) and workstations (professonal). Some of these are running in Native Mode some in Mixed and some are just work alone workstations. All are connected to the Internet through a campus wide WAN (without any firewall).
It took us about three weeks to discover this hack becuase it does nothing over apparent. It stops your Time service by droping a file called "W32Time.srv" and having it started when you reboot.
One reason that this hack wasn't very apperent is that Norton doesn't catch it and McAfee is only running on a small number of these boxes.
The problem we have is that we don't know what was all infected. As far as we have been able to tell is that this file was dropped in. A few registery entries were changed (one dealing with stoping all default shares from repearing on there own), and that is all that we have noticed. Also, all event logs were wiped clean.
All the boxes that were hit have been upto date on service packs and hot fixes, but again, this was before the latest 10 IIS fix patch that just came out. If anyone knows anything about who or what might have did this, or more to the point if I should expect anything else to appear, it would be nice.
McAfee has marked the trojen as this
Backdoor-Wu.svr but has very little to say about it.
Well, I thought I would ask.