A co-worker of mine also works as a contract IT consultant for several companies. Over the last 4 days, 3 of the companies servers have been trashed. A download manager has been installed. It was used to download Plesk, TomCat and several other installations, including Windows Live Messenger and OneCare. The application log show the installation of Plesk starting in the evening. Approximately 2 hours after it gets installed, it is also uninstalled and Windows Live software is installed. A user logs in to Live Messenger as boy_niggas@hotmail.com.... By the time we reached the server, the NIC was set to forced Gigabit (not supported by the network switch), the server name was changed to EnverS and all user accouts were either deleted or midified in some way. The co-worked is currently working at the 3rd customer where all of the above was performed, except the Windows Live stuff. One of the sites has a isco 501 PIX and the logs are clean. Does not look like someone was port sniffing. ALL of the sites have port 3389 open to the server. Not the smartest thing now that he is looking back on this. Is it safe to assume 3389 was the vehicle used? Has anyone else seen this? Is there a way to tell HOW this was done if not 3389? THanks for your help. Boy does he have a busy weekend rebuilding servers and 2 active directories.
AP
AP