At a guess the MS-SQL sa account with no password is being used. A few weeks ago I needed to test Cerberus Information scanner, but I didn't not have a MS-SQL server, so I pointed it at the first few NT machines I could find online (cohosted machines) and whaddya know, the first 3 I scanned had the vulnerability (the funny thing is contacting the ISP and telling them it was a problem took around a half hour and several emails including links to MS's site to convince them it was a problem). Face it, to deface websites often requires little or no skill, simply download a tool, point and crack. Kurt Seifried ----- Original Message ----- From: "Meritt James" <meritt_jamesat_private> To: <INCIDENTSat_private> Sent: Wednesday, May 02, 2001 10:26 AM Subject: What "methods" are being used > A variety of web defacements reportedly originating with the Chinese are > being reported. Anyone know what method(s) are being used? This may be > an indication of the number of discrete attackers (may not, but gotta > make a guess. Spoofed and bounced IPs are pretty much useless.) > > Thanks! > > V/R > > James W. Meritt, CISSP, CISA > Booz, Allen & Hamilton > phone: (410) 684-6566 >
This archive was generated by hypermail 2b30 : Wed May 02 2001 - 12:59:27 PDT