[wplug] Need help...
Nick Iglehart
nick at systemsecuritysolutions.com
Thu Apr 3 15:32:55 EST 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ok, so you found the remote admin and removed it. So now the attacker
just breaks in and acts a bit more stealthy? Shouldn't the goal here
be to find out how they got in and prevent them from doing so again?
Be aware that there is a brand spanking new IIS 5.0 exploit out there
as well as yet another sendmail vuln. Either one could very likely be
the culprit here. Not to mention slammer type exploits. Is the
firewall forwarding any incoming traffic to the box that was running
radmin? If not then you were attacked somewhere else and then that
box was used to get at the NT machine.
Nick
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBPoyadqq/UK5/FuEgEQLUqACdF+JIjGGPg9dOKGp8zNxP+zLcR9oAoLu/
2+S/j+UhLR1sRadQmQDayDt3
=OPMb
-----END PGP SIGNATURE-----
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003
More information about the wplug
mailing list