I've been HACKED!!!

[Scarpozzi]

I just found out that I got hacked... I run a webserver on my DSL account. A friend called me up and let me know that my site had been attacked...I thought he was joking. I've got a router and Win2000. Whoever did it put this message on my main webbrowser:
<<
*uck USA Government
*uck PoizonBOx

contact:sysadmcn@yahoo.com.cn
>>
There were two ip addresses on the log files that messed around enough so I've done that much detective work, but who do I need to contact?
k-namemst.kus.hokkyodai.ac.jp is what one of the addresses returned as when I did an NSLookup... What should I do next? Any help is appreciated... Thanks

 

[Agamar]

You need to download this patch immediately and install it.



Here is the Bullitin

 

[Asubit]

http://attrition.org
you're probably up now.

 

[Wintal]

You probably got hacked by an unknowing unix box.

Take a look at the CERT advisory

Good luck!

 

[Ben]

Ya, I've been getting attacks for the last couple days.

So far my box had fed them nothing but 404 errors.

 

[Scarpozzi]

I think you're on the right track Agamar. After reading all that and installing the patch, I think that's how they got in. I did some checking on my system and they(or it) sent index.htm/index.asp and default.htm/default.htm only to places that one would run a webserver on... So I got those four files in my \inetpub, \wwwroot, c:\, and WinNT\.....It looks like they just did it by running scripts so I disabled scripts and cracked down. I didn't think anyone would try simply because my site isn't worth hacking... I'm just glad I hid all the secret files that the pentagon doesn't know about! But that was a bad message...sounded like someone doesn't like Uncle Sam, eh?

 

[Ben]

<< I didn't think anyone would try simply because my site isn't worth hacking >>


Ya, I thought the same thing too. After reading a little more about the &quot;worm&quot; attack that's responsible I realized that it searches for any server that's vulnerable.