September 9, 2002 12:01 PM PDT
Microsoft "solves" hacking mystery
An advisory from the software giant last week warned companies of a number of attacks targeting servers running Windows 2000, the cause of which had initially puzzled Microsoft.
After following a trail of evidence left behind on compromised Windows 2000 servers, the company now believes that hackers have systematically exploited Windows 2000 servers that haven't been properly locked down, rather than a hole in the operating system.
"Microsoft has determined that these attacks do not appear to exploit any new product-related security vulnerabilities and do not appear to be viral or worm-like in nature," the software giant stated in an advisory posted late Friday. "Instead, the attacks seek to take advantage of situations where (proper) precautions have not been taken."
The attacks are linked by a common set of software detritus, left behind by an attacker to help keep control of compromised boxes. The most recent advisory warns that "successful compromises leave a distinctive pattern," including a modified security policy--if the victim's computer is a domain controller--and files identified as Backdoor.IRC.Flood.
Backdoor.IRC.Flood installs an Internet Relay Chat (IRC) client that allows remote and unlimited access to the compromised computer.
In addition, the hacked computers contain a common set of files, including Gg.bat, Seced.bat, Nt32.ini, Ocxdll.exe and Gates.txt. The file Gg.bat attempts to connect to other servers as an administrator or root user, while Seced.bat changes the security policy. Gates.txt contains a list of numerical Internet addresses; the advisory didn't offer details as to what the addresses may correspond.
All the compromised computers ran Microsoft's Windows 2000 operating system.
Microsoft stressed in its advisory that while the attacks seem to have a common thread, there wasn't any proof that they exploited a weakness in the operating system.
"The attackers appear to have gained entry to the systems by using weak or blank administrator passwords," the company said in the latest advisory.
However, the software giant didn't explain why every computer attacked happened to be a Windows 2000 server. Insecure password problems affect all computers, not just a single version of an operating system.
Microsoft recommends that all its customers protect their servers by eliminating weak or blank passwords, disabling the guest account, running up-to-date antivirus software, using firewalls to protect internal servers and keeping current with all security patches.