Re: Windows Systems Defaced

From: Alphonse MacDonald (amacdonaldat_private)
Date: Tue May 14 2002 - 13:44:18 PDT

Next message: Benjamin Tomhave: "explanation of port 1433 scans..."

Previous message: Stephen Samuel: "Nimda type attacks with broken GETs"
Maybe in reply to: Steve Zenone: "Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <BKEPKKMHGCKPBIKCIBGNGEPJCAAA.zenoneat_private> Island Press was similarly defaced, it appears access occured at 5:08 on May 8th and was achieved via the MS SQL server sa password. We did not have IIS running but had enough files removed to require a complete rebuild. We also believed all systems to have been properly patched. Were any of the other servers attacked behind a firewall or were they all visible? Alphonse >From: "Steve Zenone" <zenoneat_private> >To: <incidentsat_private> >Cc: <thompsonat_private> >Subject: RE: Windows Systems Defaced >Date: Thu, 2 May 2002 20:23:56 -0700 >>Hello, > >Stephen W. Thompson wrote: >|> Have any of you seen similar activity? Any thoughts? >| >|Yes, we had one that matches most of your details. These >|are exact matches: >| >|> [] Damage occurred around 1600 on 5/1/2002 >|BUT=3D> (approx. 16:00 EDT for us) >|> [] Win-popup message with "F---ing University of Rochester" >|> -- NOTE: not all systems running IIS >|> [] Admins claimed that all systems were patched correctly >|> [] Most were running updated and current AV > >Thank you very much for your reply - it definitely helps! > >We have been seeing MS-SQL (1433/tcp) attacks that try and execute=20 >the following:=20 > >-----BEGIN SNIPPET----- > xp_cmdshell 'echo net send localhost F---ing University of Rochester = > >rebooting... > rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' > > xp_cmdshell 'at /delete /y' > > xp_cmdshell 'echo if exist \inetpub\wwwroot\ type=20 >%systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >>=20 >rochester.bat' >-----END SNIPPET----- > >The above commands were directed to systems that were listening on >port 1433/tcp and accessible from the outside. It appears that there >were multiple source IPs involved in this attack. > >At this time, I am not completely clear on how to protect from this >attack. What I've researched is that since external functions such=20 >as xp_cmdshell, xp_startmail, xp_sendmail, and xp_stopmail present=20 >possible security risks, it is recommended to drop such external=20 >system functions. Else, deny EXECUTE permission on them to specific=20 >users/roles if dropping these procedures would break any of the SQL=20 >Server. I haven't tested this - but does anyone on this list know if >this is a safe and effective solution? > >Regards, >Steve > > >---------------------------------------------------------- ------------------ >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

Next message: Benjamin Tomhave: "explanation of port 1433 scans..."
Previous message: Stephen Samuel: "Nimda type attacks with broken GETs"
Maybe in reply to: Steve Zenone: "Windows Systems Defaced"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 14 2002 - 14:10:31 PDT