MS puzzled by server attack spree

[Brian Densmore]

Yeah over the long weekend first one box went down then another.
Unfortunately
they are in the route before my Linux box reaches the internet, so my
mail server was inaccessible twice over the weekend.

> -----Original Message-----
> From: Jeremy Fowler [mailto:jfowler at westrope.com]
> Sent: Friday, September 06, 2002 3:28 PM
> To: Kclug at Kclug. Org
> Subject: MS puzzled by server attack spree
> 
> 
> http://zdnet.com.com/2100-1105-956647.html
> 
> MS puzzled by server attack spree
> 
> By Robert Lemos
> Special to ZDNet News
> September 5, 2002, 4:22 AM PT
> 
> 
> Microsoft released further details of a rash of attacks on 
> Windows 2000 servers
> that has so far stumped the software giant's research team.
> In an advisory posted Aug. 30, Microsoft warned customers 
> that several companies
> had recently observed an "increased level of hacking 
> activity." Microsoft
> Product Support Services (PSS) told system administrators to 
> be on the lookout
> for Trojan horses--programs that appear to be legitimate but 
> aren't--and for
> several specific kinds of odd network behavior.
> 
> On Wednesday, Mark Miller, security specialist for the 
> Microsoft PSS, said that
> the attacks seemed to be ongoing, but at a much reduced level.
> 
> 
> 
> "We saw a pretty sharp spike," he said, adding that "we 
> definitely consider this
> to be hacker activity and not worm activity."
> 
> Microsoft has only been able to characterize the attacks by 
> certain files that
> each compromised machine has in common and that compromised 
> machines have all
> been running Windows 2000.
> 
> One file, "gg.bat," attempts to connect to other computers 
> using various
> administrator accounts. If successful, the file will then 
> copy other files over
> to the compromised system. This behavior is usually 
> considered characteristic of
> a worm--but Miller stressed that since the file doesn't copy 
> itself to the
> victim's hard drive, it shouldn't be considered a worm.
> 
> Another file, "seced.bat," changes security settings on the 
> compromised system.
> This attack could make it easier for a vandal to later log 
> onto the computer and
> use the system. A third file, "gates.txt," contains a list of 
> numerical Internet
> addresses. Microsoft, however, is unsure whether they are addresses of
> compromised systems, computers to be targeted, or some unrelated list.
> 
> While the company wouldn't say how many machines or customers 
> had been victims
> of the attacks, Miller did say that "it has been a 
> significant number."
> 
> With the rate of compromise apparently declining, however, 
> Microsoft seems
> willing to wait before referring incidents to the Microsoft 
> Security Response
> Center, the company's internal clearing house for information 
> on flaws and bugs.
> Miller explained that the company has not been able to 
> determine if the attack
> uses some new flaw in its operating system or just finds 
> success because Windows
> 2000 system patches are out of date.
> 
> "We are still monitoring the situation and we are looking 
> into it," said Miller.
> 
> 
> 
> 
> 
> majordomo at kclug.org
>