[wplug] Need help...

[Chris]

I agree with you about finding out how this was done now that Radmin is
removed and so is mIRC.  I think that it was through a not to well managed
firewall.  I am now locking it down, and taking responsibility for it.  The
people who set it up and managed it now longer work for us.  It was just
kind of left there for a while.  Bad assumption that it was setup correctly.

I am also in the process of making sure all update are current.  This
machine isn't really running anything (No IIS 5).  It is basically a fax
server.

Chris Romano
Atlas Brokerage Company, L.P.
cromano at atlasbd.com
724.743.7900
ext 221

-----Original Message-----
From: wplug-admin at wplug.org [mailto:wplug-admin at wplug.org] On Behalf Of Nick
Iglehart
Sent: Thursday, April 03, 2003 3:33 PM
To: wplug at wplug.org
Subject: RE: [wplug] Need help...

 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, so you found the remote admin and removed it. So now the attacker
just breaks in and acts a bit more stealthy? Shouldn't the goal here
be to find out how they got in and prevent them from doing so again?

Be aware that there is a brand spanking new IIS 5.0 exploit out there
as well as yet another sendmail vuln. Either one could very likely be
the culprit here. Not to mention slammer type exploits. Is the
firewall forwarding any incoming traffic to the box that was running
radmin? If not then you were attacked somewhere else and then that
box was used to get at the NT machine. 

Nick

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPoyadqq/UK5/FuEgEQLUqACdF+JIjGGPg9dOKGp8zNxP+zLcR9oAoLu/
2+S/j+UhLR1sRadQmQDayDt3
=OPMb
-----END PGP SIGNATURE-----

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.463 / Virus Database: 262 - Release Date: 3/17/2003

_______________________________________________
wplug mailing list
wplug at wplug.org
http://www.wplug.org/mailman/listinfo/wplug