We got hit by this here at RIT between 6pm and 10pm Monday night. Based on the machines that were hit it seems to be a combination of both TearDrop and the latest SMB logon type attack on WinNT/95 boxes. All of the machines that had both of the patches available for these exploits (See Microsoft Articles Q179129,Q180963) were unaffected (including mine). Those that had only the Teardrop fix were hit by the other one. Michael Young Rochester Institute of Technology mcysysat_private > -----Original Message----- > From: Bugtraq List [mailto:BUGTRAQat_private]On Behalf Of Aleph One > Sent: Wednesday, March 04, 1998 12:59 AM > To: BUGTRAQat_private > Subject: WinNT Widespread Teardrop Exploit > > > There seems to be a very large Teardrop type attack going on. Rumors are > that it may not actually be Teardrop but some new vulnerability that > affects Windows 95, Windows NT and Linux ,but no one seems to have yet > verified this claim. > > This incident may be rated to the recent large attack on NASA sites > < http://www.news.com/News/Item/0,4,19674,00.html?st.ne.fd.gif.c > > which in turn may be rated to a threat made by one of the recently raided > teenagers involved in the "Pentagon" attacks where he suggest that others > may take retaliatory action for his threatment > < http://www.wired.com/news/news/technology/story/10666.html >. > > You may wish to keep a network sniffer running looking for interesting > traffic and if you see an attack try and verify if it is indeed Teardrop > or something else. > > Aleph One / aleph1at_private > http://underground.org/ > KeyID 1024/948FD6B5 > Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 > > ---------- Forwarded message ---------- > Date: Tue, 03 Mar 1998 23:27:49 -0500 > From: Dale Drew <ddrewat_private> > To: miigsat_private, mealsat_private > Subject: WinNT Widespread Teardrop Exploit : iMCISE:IMCI:030398:01:P1R1 > > > > MCI Telecommunications > > internetMCI Security Group > > > Report Name: iMCI Security Alert - WinNT Widespread Teardrop Exploit > Report Number: iMCISE:IMCI:030398:01:P1R1 > Report Date: 03/03/98 > Report Format: InFormal > Report Classification: MCI Informational > Report Reference: http://www.security.mci.net > > ------------------------------------------------------------------------ > > MCI has received confirmation of an ongoing, widespread > attack specifically targeting Internet connected WindowsNT > systems. We are providing this data in an effort to > alert you to these attacks, and to possibly provide a > protection mechanism against them. > > This exploit appears to be a variation of the TearDrop > (http://www.microsoft.com/security) attack that > has effected Win95 and WinNT machines in the past. > > Patches for this appear to be available at; > ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos tSP3/teardrop2-fix/Q179129.txt ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos tSP3/teardrop2-fix/README.TXT for intel ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos tSP3/teardrop2-fix/tearfixi.exe for alpha ftp://ftp.microsoft.com/bussys/winnt/winntpublic/fixes/usa/nt40/hotfixes-pos tSP3/teardrop2-fix/tearfixa.exe The attacks appear to be automated and coming from multiple sources, sweeping specific systems within a customer's network. (eg; possibly obtaining a list of systems via DNS tables, then attacking found systems). You may want to take measures to have your Intrusion Detection systems look for sequential DNS lookups of your netblocks. Source addresses of the attack have been forged, one address that has been used in previous attacks is 199.0.154.13 - although that address could be changed at any time, since the address is a forged, invalid address. Source ports of the attack, thus far, has been tcp port 4000. Although that port could be changed at any time as well. The attack appears to be focused on .gov and .edu sites, although some commercial sites have registered complaints. Should you have any questions, please feel free to contact myself or MCI's Incident Response Team at "securityat_private". NT, and Microsoft, Security issues can be obtained at; http://www.microsoft.com/security http://listserv.ntbugtraq.com/archives/index.html SUCCESS THROUGH TEAMWORK ================================================================ Dale Drew MCI Telecommunications Sr. Manager internetMCI Security Engineering Voice: 703/715-7058 Internet: ddrewat_private Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:43:57 PDT