RE: DDoS to microsoft sites

From: Jason Robertson (jasonat_private)
Date: Wed Jan 30 2002 - 16:58:45 PST

  • Next message: John: "Apache 1.3.XX"

    I am going to only say this once.  And only once, and really only once.
    
    Firewalls are not the be all and end all of security,  saying that I 
    will say why you should have many levels of security, not just the 
    firewall.. 
    First, most major firewalls, have had compromises, that allow for 
    access to the internal network, and a minor lapse of security on one 
    machine can give access to the rest, look at code red II, or nimda, 
    when it  placed backdoors into IIS, do you not think others will not do 
    that?  
    
    For seconds Netbios, the client controls security not the server
    If you want a good document on why not to use netbios
      http://www.securityfocus.com/library/2071
    
    As for MS Sql, it is pretty insecure in it's own right, and do you want 
    someone to have access to your database, again pre-7 had a major 
    security breach in password authentication.
    
    And there are at least hundreds of other ways to get access, to other 
    services and get admin access from other methods.
    
    Jason
    
    On 30 Jan 2002 at 12:47, Adcock, Matt wrote:
    
    From:           	"Adcock, Matt" <Matt.Adcockat_private>
    To:             	"'Bronek Kozicki'" <brokat_private>,
    	Mike Lewinski <mikeat_private>
    Copies to:      	incidentsat_private
    Subject:        	RE: DDoS to microsoft sites
    Date sent:      	Wed, 30 Jan 2002 12:47:09 -0500
    Mailer:         	Internet Mail Service (5.5.2653.19)
    
    > The fact that ports are listening for SQL traffic, NetBIOS traffic, and HTTP
    > requests ***have absolutely nothing to do with being rooted**.  According to
    > your logic, the only way to make a secure machine is to shut everything off.
    > That's absolutely ridiculous.  Guess what, these servcies are on lots of
    > Windows machines, including mine, but are protected by firewalls.
    > 
    > I'd really like for you to explain to me how a Windows network will run
    > without NetBIOS.  Try shutting it down sometime - you'll break your Windows
    > network, even 2000.  I'd also like for you to explain to me how you can
    > brute force attack admin accounts just because NetBIOS is open.
    > 
    > Matt
    > 
    > -----Original Message-----
    > From: Bronek Kozicki [mailto:brokat_private]
    > Sent: Wednesday, January 30, 2002 3:21 AM
    > To: Mike Lewinski
    > Cc: incidentsat_private
    > Subject: Re: DDoS to microsoft sites
    > 
    > 
    > Hello
    > 
    > Wednesday, January 30, 2002, 12:23:51 AM, you wrote:
    > > A port scan of one of the infected hosts shows:
    > 
    > >      7  Echo
    > >      9  Discard
    > >     13  Daytime
    > >     17  Quote of the Day
    > >     19  Character Generator
    > >     21  File Transfer Protocol [Control]
    > >     25  Simple Mail Transfer
    > >     80  World Wide Web HTTP
    > >    135  DCE endpoint resolution
    > >    139  NETBIOS Session Service
    > >    443  https  MCom
    > >    445  Microsoft-DS
    > >    548  AFP over TCP
    > >   1025  network blackjack
    > >   1026
    > >   1027  ICQ?
    > >   1433  Microsoft-SQL-Server
    > >   5631  pcANYWHEREdata
    > 
    > > The client claims that they are not running Appletalk (548) but I'm not
    > sure
    > > whether to believe. We haven't been able to get console access to that
    > > machine to do any further investigation (but have blocked it upstream). Of
    > > the above services, most look legit from what I can tell with the
    > exception
    > > of 548 and 1025-1027
    > 
    > Most probably your client has been rooted. Among above services,
    > following are especially easy to hack:
    > - netbios (brute force attack on Administrator account)
    > - http (whole lot of exploits, running on nonpatched IIS)
    > - sql-server (default empty password for 'sa' account; brute force
    > attack if password is not empty)
    > 
    > I think you client have no idea what's going on their servers, and
    > they will keep claiming that "everything is fine" till they find their
    > data at the competition site :/ From above list its almost obvious
    > that they do not have a clue about security and should not be
    > connected to the Internet.
    > 
    > Kind regards,
    > 
    > B.
    > 
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > ----------------------------------------------------------------------------
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management 
    > and tracking system please see: http://aris.securityfocus.com
    > 
    > 
    
    
    --
    Jason Robertson                
    Network/Security Analyst     
    jasonat_private 
    http://www.ifuture.com, http://www.astroadvice.com, 
    http://www.astroeast.com
    Also if you are looking for an employee, I may be available soon, so 
    feel free to 
    contact me for my resume.
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 08:47:11 PST