The fact that ports are listening for SQL traffic, NetBIOS traffic, and HTTP requests ***have absolutely nothing to do with being rooted**. According to your logic, the only way to make a secure machine is to shut everything off. That's absolutely ridiculous. Guess what, these servcies are on lots of Windows machines, including mine, but are protected by firewalls. I'd really like for you to explain to me how a Windows network will run without NetBIOS. Try shutting it down sometime - you'll break your Windows network, even 2000. I'd also like for you to explain to me how you can brute force attack admin accounts just because NetBIOS is open. Matt -----Original Message----- From: Bronek Kozicki [mailto:brokat_private] Sent: Wednesday, January 30, 2002 3:21 AM To: Mike Lewinski Cc: incidentsat_private Subject: Re: DDoS to microsoft sites Hello Wednesday, January 30, 2002, 12:23:51 AM, you wrote: > A port scan of one of the infected hosts shows: > 7 Echo > 9 Discard > 13 Daytime > 17 Quote of the Day > 19 Character Generator > 21 File Transfer Protocol [Control] > 25 Simple Mail Transfer > 80 World Wide Web HTTP > 135 DCE endpoint resolution > 139 NETBIOS Session Service > 443 https MCom > 445 Microsoft-DS > 548 AFP over TCP > 1025 network blackjack > 1026 > 1027 ICQ? > 1433 Microsoft-SQL-Server > 5631 pcANYWHEREdata > The client claims that they are not running Appletalk (548) but I'm not sure > whether to believe. We haven't been able to get console access to that > machine to do any further investigation (but have blocked it upstream). Of > the above services, most look legit from what I can tell with the exception > of 548 and 1025-1027 Most probably your client has been rooted. Among above services, following are especially easy to hack: - netbios (brute force attack on Administrator account) - http (whole lot of exploits, running on nonpatched IIS) - sql-server (default empty password for 'sa' account; brute force attack if password is not empty) I think you client have no idea what's going on their servers, and they will keep claiming that "everything is fine" till they find their data at the competition site :/ From above list its almost obvious that they do not have a clue about security and should not be connected to the Internet. Kind regards, B. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 11:19:36 PST