<auto241065at_private> asks: > On Wed, 30 Jan 2002 08:59:18 -0700, Mike Lewinski <mikeat_private> wrote: > >I'm guessing that the SQL server is the infection vector in both these > >cases, but equally suspect that the exploit is from the vulnerability in > >@stake's recent MS-SQL advisory: > >http://www.atstake.com/research/advisories/2001/a122001-1.txt > > What makes you suspect this vulnerability was exploited? Are you able to post a packet capture or any other logs? It's just a hunch, based on the likelihood that if this were a new IIS worm we would have seen more than 2 infections here [0]. I did get confirmation that one of the boxes in the current incident had an empty 'sa' SQL password, so it could also be the W32/SQLWorm that someone pointed out to me privately: http://www.geek.com/news/geeknews/2001nov/gee20011123008988.htm I don't have any packet captures, because we blocked it upstream as soon as we identified the sources of the attack (which were not spoofed, fwiw- a possible sign that this DDoS has enough zombies that it doesn't matter). I doubt our clients will be able to do a proper forensics exam. We've strongly encouraged both to reformat and reinstall, but I'll ask if we can get copies of any infected files or rootkit tracks. I doubt they've done any post-mortem (odds are that one will ignore the reinstall advice so maybe I'll get a second shot at it...) Mike [0] Both Code Red and NIMDA hit more than 20 systems (there were repeat lusers, but not all). NIMDA spread amazingly fast, so much that I believe all vulnerable machines on our client networks were infected within 10-15 minutes of each other (has anyone investigated the possibility it was a warhol worm initially? Those clients are spread out over many unique netblocks.) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 08:58:04 PST