When I was at BlackHat and DefCon recently, I was
having discussions with some folks regarding an
article I'd written on NT incident response. I'd
written the article along the same lines as a
Linux or Solaris incident response procedure, but
with NT in mind.

The discussion centered around this...having your
hands on an NT or 2K box that was 'hacked' in much
the same way as a Linux or Solaris box. I wasn't
able to find anyone who has seen such a thing. I
work on an all-NT infrastructure, with 2K systems
providing web hosting in the data center. Many
others have similar infrastructures.

When a Linux box is 'hacked' (generally speaking,
of course), the attacker puts on a rootkit and
uses that box to step off an attack other systems.
This isn't something you see with NT. The
'sadmin/IIS' (poisonbox) worm is another good
example.

So, my question to the group is this...has anyone
seen a 'hacked' NT or 2K box? If so, what did you
find out about it? What technique did the attacker
use? How did they establish a foothold on the box,
what tools did they load, and what did they do
from there? I've already read through JD Glaser's
BlackHat presentation from '99.

It's been said that NT boxes are easy to hack b/c
of vulnerabilities to services, but not easy to
hack b/c you can't 'get on the box' the same way
you can with Linux or Solaris.

Input is appreciated.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]