Re: Another unicode hacked box

[Matt Scarborough <vexversa () USA NET>]

On Tue, 8 May 2001 22:31:53 -0600, Jon Zobrist  wrote:

> We've got a test server which was NT 4 SP6 IIS 4 no patches which was hit by
> an attack pretty much identical to this one on securityfocus.
>
> http://www.securityfocus.com/archive/88/170407

That is the BackGate kit.

> The box was in the DMZ and completely open for internet parties.

BackGate provides a platform for launching attacks internally and externally
using its Wingate component.

> It appears we were hit on March 6,7, and 8th, 2001...
> The attacker attempted to deface our web pages by uploading index.html and
> index.asp both of which include the crude english "f*ck USA Government" and
> the message "f*ck PoinsonB0x", it also includes a contact email address of
> sysadmincn () yahoo com cn
>
> I'm not sure if this warrants contacting the FBI or not, it appears clean up
> will be reinstalling completely.

If the box has been hosting BackGate for a month perhaps the logs have info
you or LE can use. There is an analysis of BackGate with some recovery options
including viewing the "hidden logs" here
http://www.incidents.org/react/unicode.php

Matt 2001-05-09

____________________________________________________________________
Get free email and a permanent address at http://www.amexmail.com/?A=1