RE: Windows Systems Defaced/destroyed, plus Port 3389 attacks

From: Skinner, Kit (KSkinnerat_private)
Date: Fri May 17 2002 - 13:14:04 PDT

  • Next message: Deus, Attonbitus: "RE: Windows Systems Defaced/destroyed, plus Port 3389 attacks"

    Well, Thor was writing TSGrinder to basically brute force the way in.
    However, its still in Beta and isn't freely available.
    http://www.hammerofgod.com/download.htm
    
    But, as Thor points out, the data in the TS channel is encrypted and
    therefore makes it difficult to observe or detect brute force attacks with
    NIDS.  If you don't rename the Administrator account and/or you don't
    monitor your event logs, you just sit there and manually brute force it till
    your blue in the face and no one would be the wiser.
    
    The other option, is there was a Buffer Overflow exploit in NT4 TSE.  If
    they're not patched, they are vulnerable.
    
    Also, there's a memory leak in TS that is patched by Q292435.
    
    Other than that, I don't know of any of the top of my head.
    
    -K
    
    -----Original Message-----
    From: Bukys, Liudvikas [mailto:bukysat_private]
    Sent: Monday, May 13, 2002 11:00 AM
    To: incidentsat_private; unisogat_private
    Cc: bukysat_private
    Subject: Windows Systems Defaced/destroyed, plus Port 3389 attacks
    
    
    --------
    
    REGARDING:
       - ONGOING "F***ing University of Rochester" defacement and destruction
       - OLD Fluxay SQL & NETBIOS attacks
       - NEW Port 3389 WTS attacks & HP LaserJet defacements/reconfigurations
    
    ---
    
    I am continuing to hear about newly-hacked sites, that have experienced
    identical attacks, using MS SQL Server holes and a "rochester.bat"
    script previously discussed on the "incidents" list, to delete most
    files, and, if there is an IIS web server installed, replace its home
    page with text reading "F***ing University of Rochester" (please excuse
    the language).
    
    Victims to date have included several systems at UC Santa Cruz, a U Penn
    Cancer Center third-party hosted web site, a headhunting firm, and
    publishing 
    firm.
    
    *** If any more sites are hacked in this fashion, I would appreciate hearing
    about it -- please send email to abuseat_private ***
    
    ---
    
    
    Many of you have been experiencing similar sets of attacks via SQL, NETBIOS,
    and various other ports.  The University of Rochester experience includes
    these
    common features:
    * Scanning for and exploitation of Microsoft SQL server weak or blank
      'sa' passwords (port 1433)
    * Scanning for and explotation of weak passwords on Windows
      administrator accounts (netbios ports 137-139, 445, 524)
    * installation of back door software on compromised machines (typically
      RemoteNC or FluxaySensor)
    * Most common tool for the above has been Fluxay from
      www.netxeyes.com/down.html.  It offers very easy one-click
      exploitation and back-door installation.
    
    ---
    
    IN ADDITION, the same attackers have been exploiting or trying to
    exploit the following.  I point them out separately because there has
    not been much discussion yet about port 3389 exploits in particular, so
    I am keenly interested in getting more information (and in alerting the
    rest of you).
    
    * Scanning for and exploitation of something in Windows Terminal Server
      (port 3389).  Exploit tool and attack method unknown.  (Please all if
      evidence turns up.)
    * Defacement and reconfiguration of HP LaserJet printers (ports 23,
      9100, 80), addresses set to collide with production web and dns
      servers.  Expoit tool and attack method unknown.  We have at least
      one claim that a printer with up-to-date firmware and a password set
      still got exploited, so perhaps it's not all weak passwords.
    
    *** If you see similar attacks, I would be grateful for additional
    information you could provide regarding the attackers (e.g.  source of
    attack, for correlation purposes), and their methods (e.g.  copies of
    attack tools left behind).  I would especially welcome information on
    the port 3389 mystery exploit. ***
    
    ---
    
    Liudvikas Bukys
    Associate Vice Provost for Computing
    Office of CIO
    University of Rochester
    bukysat_private
    716-275-7747
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri May 17 2002 - 13:54:46 PDT