Re: Re: DDoS to microsoft sites

From: Mike Lewinski (mikeat_private)
Date: Thu Jan 31 2002 - 07:12:00 PST

Next message: Soeren Ziehe: "formmail - abuse contact for broadwing.net?"

Previous message: John: "Apache 1.3.XX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

<auto241065at_private> asks:

> On Wed, 30 Jan 2002 08:59:18 -0700, Mike Lewinski <mikeat_private>
wrote:
> >I'm guessing that the SQL server is the infection vector in both these
> >cases, but equally suspect that the exploit is from the vulnerability in
> >@stake's recent MS-SQL advisory:
> >http://www.atstake.com/research/advisories/2001/a122001-1.txt
>
> What makes you suspect this vulnerability was exploited? Are you able to
post a packet capture or any other logs?

It's just a hunch, based on the likelihood that if this were a new IIS worm
we would have seen more than 2 infections here [0].

I did get confirmation that one of the boxes in the current incident had an
empty 'sa' SQL password, so it could also be the W32/SQLWorm that someone
pointed out to me privately:

http://www.geek.com/news/geeknews/2001nov/gee20011123008988.htm

I don't have any packet captures, because we blocked it upstream as soon as
we identified the sources of the attack (which were not spoofed, fwiw- a
possible sign that this DDoS has enough zombies that it doesn't matter). I
doubt our clients will be able to do a proper forensics exam. We've strongly
encouraged both to reformat and reinstall, but I'll ask if we can get copies
of any infected files or rootkit tracks. I doubt they've done any
post-mortem (odds are that one will ignore the reinstall advice so maybe
I'll get a second shot at it...)

Mike

[0] Both Code Red and NIMDA hit more than 20 systems (there were repeat
lusers, but not all). NIMDA spread amazingly fast, so much that I believe
all vulnerable machines on our client networks were infected within 10-15
minutes of each other (has anyone investigated the possibility it was a
warhol worm initially? Those clients are spread out over many unique
netblocks.)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Soeren Ziehe: "formmail - abuse contact for broadwing.net?"
Previous message: John: "Apache 1.3.XX"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 08:58:04 PST