Re: DDoS to microsoft sites

From: Mike Lewinski (mikeat_private)
Date: Wed Jan 30 2002 - 07:59:18 PST

  • Next message: Adcock, Matt: "RE: DDoS to microsoft sites"

    We were able to get a port scan of the other client's infected box, and it
    too was running IIS and MS-SQL. However, in addition it also had tcp
    6667/6668 open. Ironically, this same client's server was running Linux two
    years ago, and intruders installed an eggdrop bot there. I believe that
    incident (which totaled their machine before any data recovery was possible)
    caused them to look to a Microsoft solution.
    
    The primary difference between the two clients is that the first port scan I
    sent in was done via a crossover cable (meaning the rooted box had been
    unplugged from the network). So I suspect that whatever it is detects
    disconnection of network media and terminates itself.
    
    "Bronek Kozicki" <brokat_private> writes:
    
    > Most probably your client has been rooted. Among above services,
    > following are especially easy to hack:
    > - netbios (brute force attack on Administrator account)
    
    The 2nd client had their netbios ports locked down. I believe it was behind
    a very basic packet filter. Assuming that both machines were compromised by
    the same tool, I don't think that this was the vector.
    
    > - http (whole lot of exploits, running on nonpatched IIS)
    
    I believe that both boxes had enough patches applied to withstand ongoing
    Code Red/Nimda attacks for many months. We typically find out when our
    clients install a new IIS server and don't patch it within a day or two
    (which is simply the lag time between the initial infection and first
    report-- they usually only last a couple hours at best).
    
    > - sql-server (default empty password for 'sa' account; brute force
    > attack if password is not empty)
    
    I'm guessing that the SQL server is the infection vector in both these
    cases, but equally suspect that the exploit is from the vulnerability in
    @stake's recent MS-SQL advisory:
    http://www.atstake.com/research/advisories/2001/a122001-1.txt
    
    > From above list its almost obvious
    > that they do not have a clue about security and should not be
    > connected to the Internet.
    
    This is probably true for 80% of our clients, and the same goes for the rest
    of the Internet. Removing all the clueless users would promptly bankrupt the
    Tier 1 providers who don't have alternate sources of income and cause The
    End of the Internet ;)
    
    --
    
    Because I'm sure that the following sentiment is shared elsewhere on the
    list, I want to also respond to a private message I received in regards to
    Microsoft being attacked:
    
    >  Is this supposed to be a bad thing?
    
    We typically notice this type of activity because:
    
    a) It's impacting our operations (i.e. link saturation, router resource
    depletion)
    b) It's increasing our bandwidth costs
    
    So yes, this was a bad thing, and we blocked it as soon as we were able to
    identify the sources.
    
    Mike
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 09:42:49 PST