[THIN] AW: Way OT but hey... i want to kill 2k server
- From: "Pape Sascha" <Sascha.Pape@xxxxx>
- To: thin@xxxxxxxxxxxxx
- Date: Fri, 21 Feb 2003 09:39:56 +0100
Hi Kristof=20
If you guys use switches you should reset the counters. Then continue=20
to ping flood the ip (use large packets!) and watch the counters go=20
up. Once you know which port he's on you should know his location.=20
Shut down the port only if you are 100% sure you caught the right=20
machine :)
You mentioned he's running SQL - there's a default user being setup
when you install sql. if he didn't change that you might want to=20
try and login using the service account / blank password. that way=20
you can use the shutdown utility (resource kit) - even placing=20
the command into each user's the autostart folder :)
Greets=20
Sascha Pape
Organisations- und Informatik-Dienste (OID)
Murbacherstrasse 21
6002 Luzern
Tel: 041 228 55 92 / Fax: 041 210 29 19 mailto:sascha.pape@xxxxx
Internet: http://www.lu.ch/oid
> -----Urspr=FCngliche Nachricht-----
> Von: Kristof.DeMey@xxxxxxxxxxxxxx=20
> [mailto:Kristof.DeMey@xxxxxxxxxxxxxx]=20
> Gesendet: Freitag, 21. Februar 2003 09:05
> An: thin@xxxxxxxxxxxxx
> Betreff: [THIN] Way OT but hey... i want to kill 2k server
>=20
>=20
> Hi group
> =20
> I have a rather funny issue here...
> Someone has implemeted a server in the network here but we=20
> cant find it :) He is using a range reserved for our trading=20
> people and they want to bring the=20
> server down to be able to use the ip it has in ues.. There is=20
> also a SLAMMER VULNERABLE=20
> sql server installed and thats also a reason to take it out.
> =20
> We have only: IP Addres and Hostname,=20
> No login info, he's not added to a domain , nobody seems to=20
> be aware of the machine,=20
> No dns record in the dns server..
> =20
> I'v send mails too all it personel (about 400) and nobody=20
> knows about the machine. So i am DIENG to kill it remote.
> =20
> We tried spamming it with a telnet on port 19 (rdm text=20
> generator) but the simple tcp ip services are disabled I=20
> tried the SMB die vulnerability but he is NOT vulnerable.
> =20
> Any one any ideeN? I tried remote registry suff and all but=20
> nothing seems to work. We are slowing it down by issueing=20
> huge ping request but untill now nobody is complaining so=20
> still no luck :)
> =20
> Anyone?
> =20
> Thx in advance....
> =20
> Any tip to slow the bagger down is also verry welcome!=20
> That way we can trigger the "server installer" to call the=20
> networking department and then we got him :)
> =20
> =20
> =20
> =20
>=20
> Met vriendelijke groeten - Bien =E0 vous ,=20
>=20
> Kristof De Mey=20
>=20
> Electrabel IT-Services - Infrastructure Services=20
> Service Operations - Exploitation NT & Mailing Systems=20
> =20
> Werhuizenkaai 16 - Q015 - 1000 Brussel=20
> Tel intern: 80.3387 - Tel: 00-32-2-206 33 87=20
> Fax intern: 80.3427 - Fax: 00-32-2-206 34 27=20
>=20
> =20
>=20
> *********************************************************
> This Week's Sponsor - Neoware=20
> Now through March 31, 2003=20
> Neoware is offering a Capio 500/Eon Proven 2100=20
> for $299! Click the link below:=20
> http://www.neoware.com/promocp4a/thinnetban.ht> ml
>=20
>=20
> **********************************************************
>=20
> For Archives, to Unsubscribe, Subscribe or=20
> set Digest or Vacation mode use the below link:=20
http://thethin.net/citrixlist.cfm
*********************************************************
This Week's Sponsor - Neoware
Now through March 31, 2003
Neoware is offering a Capio 500/Eon Proven 2100
for $299! Click the link below:
http://www.neoware.com/promocp4a/thinnetban.html
**********************************************************
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
- » [THIN] AW: Way OT but hey... i want to kill 2k server
