Re: Re: DDoS to microsoft sites

From: Mike Lewinski (mikeat_private)
Date: Thu Jan 31 2002 - 07:12:00 PST

  • Next message: Soeren Ziehe: "formmail - abuse contact for broadwing.net?"

    <auto241065at_private> asks:
    
    > On Wed, 30 Jan 2002 08:59:18 -0700, Mike Lewinski <mikeat_private>
    wrote:
    > >I'm guessing that the SQL server is the infection vector in both these
    > >cases, but equally suspect that the exploit is from the vulnerability in
    > >@stake's recent MS-SQL advisory:
    > >http://www.atstake.com/research/advisories/2001/a122001-1.txt
    >
    > What makes you suspect this vulnerability was exploited? Are you able to
    post a packet capture or any other logs?
    
    It's just a hunch, based on the likelihood that if this were a new IIS worm
    we would have seen more than 2 infections here [0].
    
    I did get confirmation that one of the boxes in the current incident had an
    empty 'sa' SQL password, so it could also be the W32/SQLWorm that someone
    pointed out to me privately:
    
    http://www.geek.com/news/geeknews/2001nov/gee20011123008988.htm
    
    I don't have any packet captures, because we blocked it upstream as soon as
    we identified the sources of the attack (which were not spoofed, fwiw- a
    possible sign that this DDoS has enough zombies that it doesn't matter). I
    doubt our clients will be able to do a proper forensics exam. We've strongly
    encouraged both to reformat and reinstall, but I'll ask if we can get copies
    of any infected files or rootkit tracks. I doubt they've done any
    post-mortem (odds are that one will ignore the reinstall advice so maybe
    I'll get a second shot at it...)
    
    Mike
    
    [0] Both Code Red and NIMDA hit more than 20 systems (there were repeat
    lusers, but not all). NIMDA spread amazingly fast, so much that I believe
    all vulnerable machines on our client networks were infected within 10-15
    minutes of each other (has anyone investigated the possibility it was a
    warhol worm initially? Those clients are spread out over many unique
    netblocks.)
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 08:58:04 PST