I believe both tcp/6667 and tcp/6668 are both used for IRC. It would make sense that these are network aware. I know other IMs are. Matt -----Original Message----- From: Mike Lewinski [mailto:mikeat_private] Sent: Wednesday, January 30, 2002 10:59 AM To: incidentsat_private Subject: Re: DDoS to microsoft sites We were able to get a port scan of the other client's infected box, and it too was running IIS and MS-SQL. However, in addition it also had tcp 6667/6668 open. Ironically, this same client's server was running Linux two years ago, and intruders installed an eggdrop bot there. I believe that incident (which totaled their machine before any data recovery was possible) caused them to look to a Microsoft solution. The primary difference between the two clients is that the first port scan I sent in was done via a crossover cable (meaning the rooted box had been unplugged from the network). So I suspect that whatever it is detects disconnection of network media and terminates itself. "Bronek Kozicki" <brokat_private> writes: > Most probably your client has been rooted. Among above services, > following are especially easy to hack: > - netbios (brute force attack on Administrator account) The 2nd client had their netbios ports locked down. I believe it was behind a very basic packet filter. Assuming that both machines were compromised by the same tool, I don't think that this was the vector. > - http (whole lot of exploits, running on nonpatched IIS) I believe that both boxes had enough patches applied to withstand ongoing Code Red/Nimda attacks for many months. We typically find out when our clients install a new IIS server and don't patch it within a day or two (which is simply the lag time between the initial infection and first report-- they usually only last a couple hours at best). > - sql-server (default empty password for 'sa' account; brute force > attack if password is not empty) I'm guessing that the SQL server is the infection vector in both these cases, but equally suspect that the exploit is from the vulnerability in @stake's recent MS-SQL advisory: http://www.atstake.com/research/advisories/2001/a122001-1.txt > From above list its almost obvious > that they do not have a clue about security and should not be > connected to the Internet. This is probably true for 80% of our clients, and the same goes for the rest of the Internet. Removing all the clueless users would promptly bankrupt the Tier 1 providers who don't have alternate sources of income and cause The End of the Internet ;) -- Because I'm sure that the following sentiment is shared elsewhere on the list, I want to also respond to a private message I received in regards to Microsoft being attacked: > Is this supposed to be a bad thing? We typically notice this type of activity because: a) It's impacting our operations (i.e. link saturation, router resource depletion) b) It's increasing our bandwidth costs So yes, this was a bad thing, and we blocked it as soon as we were able to identify the sources. Mike ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 30 2002 - 11:23:06 PST