Re: May 1st Windows Attacks??

From: Al Stangenberger (forags@nature.berkeley.edu)
Date: Thu May 09 2002 - 13:01:06 PDT

• Next message: Paul Payne: "Re: May 1st Windows Attacks??"
• Previous message: Bruce Satow: "Re: May 1st Windows Attacks??"
• In reply to: Terre Beynart: "Re: May 1st Windows Attacks??"
• Next in thread: Paul Payne: "Re: May 1st Windows Attacks??"
• Next in thread: Bruce Satow: "Re: May 1st Windows Attacks??"

I don't think PC Anywhere was running on either of the two machines in CNR
that I know of.

However, we were notified by Craig Lant in SNS that several machines on
campus (including
our two) were probably hit through a vulnerability in MS SQL
Server. Here's his note:

>It looks like the above host(s) fell victim to an attack on the MS SQL
>server. A number of systems across campus were hit with this last week.
>Unfortunately, many of these systems were incapacitated and suffered loss
>of data. So, you may already be aware that something happened. This
>messages is just to let you know what we think happened and how to
>re-secure the system(s).
>The attack took advantage of a vulnerability is MS SQL server. A good
>description of the vulnerability along with information on applicable
>patches can be found at
>http://securityresponse.symantec.com/avcenter/security/Content/1865-6.html.
> In addition, if you haven't done so already, the affected systems should
>be rebuilt from secure media to make sure no trojan or malicious code was
>left behind.

-Al Stangenberger

At 12:19 PM 5/9/02 -0700, Terre Beynart wrote:
>What happened to that suggestion that PC Anywhere might have been
>implicated in these attacks? Does the sysadmin who first suggested it
>still think it might be the initial vulnerability? Was PC Anywhere
>running on the other victims?

--
Al Stangenberger                  Univ. of California at Berkeley
forags@nature.berkeley.edu         Dept. of Env. Sci., Policy, & Mgt.
                                    145 Mulford Hall # 3114
(510)642-4424  FAX:(510)643-3490   Berkeley, CA  94720-3114
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.

• Next message: Paul Payne: "Re: May 1st Windows Attacks??"
• Previous message: Bruce Satow: "Re: May 1st Windows Attacks??"
• In reply to: Terre Beynart: "Re: May 1st Windows Attacks??"
• Next in thread: Paul Payne: "Re: May 1st Windows Attacks??"
• Next in thread: Bruce Satow: "Re: May 1st Windows Attacks??"

This archive was generated by hypermail 2b29 : Thu May 09 2002 - 13:01:49 PDT