Re: DDoS to microsoft sites

From: Bronek Kozicki (brokat_private)
Date: Wed Jan 30 2002 - 00:20:31 PST

  • Next message: Fulton L. Preston Jr.: "Odd scan"

    Hello
    
    Wednesday, January 30, 2002, 12:23:51 AM, you wrote:
    > A port scan of one of the infected hosts shows:
    
    >      7  Echo
    >      9  Discard
    >     13  Daytime
    >     17  Quote of the Day
    >     19  Character Generator
    >     21  File Transfer Protocol [Control]
    >     25  Simple Mail Transfer
    >     80  World Wide Web HTTP
    >    135  DCE endpoint resolution
    >    139  NETBIOS Session Service
    >    443  https  MCom
    >    445  Microsoft-DS
    >    548  AFP over TCP
    >   1025  network blackjack
    >   1026
    >   1027  ICQ?
    >   1433  Microsoft-SQL-Server
    >   5631  pcANYWHEREdata
    
    > The client claims that they are not running Appletalk (548) but I'm not sure
    > whether to believe. We haven't been able to get console access to that
    > machine to do any further investigation (but have blocked it upstream). Of
    > the above services, most look legit from what I can tell with the exception
    > of 548 and 1025-1027
    
    Most probably your client has been rooted. Among above services,
    following are especially easy to hack:
    - netbios (brute force attack on Administrator account)
    - http (whole lot of exploits, running on nonpatched IIS)
    - sql-server (default empty password for 'sa' account; brute force
    attack if password is not empty)
    
    I think you client have no idea what's going on their servers, and
    they will keep claiming that "everything is fine" till they find their
    data at the competition site :/ From above list its almost obvious
    that they do not have a clue about security and should not be
    connected to the Internet.
    
    Kind regards,
    
    B.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:33:12 PST