Q328691 - August 30, 2002 PSS Hacking Alert: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q328691
PSS Security Response Team Alert - Increase in Hacking Activity
DATE: August 30, 2002
PRODUCTS AFFECTED: Windows
MICROSOFT KNOWLEDGEBASE ARTICLE: Q328691
WHAT IS IT?
The Microsoft Product Support Services (PSS) Security Team is issuing an
alert about an increased level of hacking activity that the PSS Security
Team has been tracking. The activity seems to involve similar hacking
attempts. These hacking attempts show similar symptoms and behaviors.
PSS Security team has isolated the major similarities. This article
these similarities, so that you can take any appropriate action to:
Detect these hacking attempts.
Respond to any hacking attempts you detect.
IMPACT OF ATTACK: Compromise of computer, denial-of-service because of
security policy changes.
You may experience one or more of the following symptoms:
Possible detection of Trojans such as Backdoor.IRC.Flood and its
This might include related Trojans with similar functionality. These
Trojans may not necessarily be detected by your antivirus software after
the hacker has made modifications to your computer.
Modification of the security policy on domain controllers. Some of the
possible effects of a modified security policy are: Previously-disabled
guest accounts have been re-enabled. Changed security permissions on
servers or in Active Directory. No one can log on to the domain from the
workstations. Cannot open Active Directory snap-ins in the MMC. Error
show multiple failed logon attempts from legitimate users who were
Finding any backdoor Trojan indicates that the server is extremely
vulnerable to privilege escalation and hacking.
The following files and program have also been found on the computers
have been compromised:
Gg.bat attempts to connect to other servers as 'administrator', 'admin',
'root'. It then looks for Flashfxp and Ws_ftp on the server, and then
copies several files including Ocxdll.exe to the server. Gg.bat then
the Psexec program to execute commands on the remote server.
Seced.bat changes the security policy.
If these files are found on your computer and they were not installed by
you or with your knowledge, run a thorough virus scan with an up-to-date
As of August 2002, the PSS Security Team has not been able to determine
technique that is being used to gain access to the computer. However,
because of the significant spike in activity, the PSS Security Team has
determined that these techniques are similar and/or automated in some
cases. Fully-patched computers that follow security best practices
the best protection from hacking or other malicious software.
Because of the nature of hacking, there is almost no way to fully
computer as "clean" of all malicious software or changes that are made
result of the compromise. If you are sure your machine has been
compromised, Microsoft recommends you consult the CERT documentation
how to recover from a root compromise:
If you believe that you have been hacked, you may want to contact your
legal counsel or law enforcement about your legal options.
As always please make sure to use the latest Anti-Virus detection from
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the
outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
Kristin Thomas, MCSE, MCP
Microsoft Online Support Engineer