|
Security Incidents
mailing list archives
Re: [unisog] Windows Systems Defaced/destroyed, plus Port 3389 attacks
From: "Chris Wilson" <chrisw () nipissingu ca>
Date: Mon, 13 May 2002 16:33:36 -0400
I have seen this with Jet Direct Cards before. Have you ever ran a checker, such as Fluxy against a jetdirect that has
TCPIP enabled?
depending on which model it is it can have in excess of 30 diffrent useraccounts/password combinations.
there are also a few unix based utilitys I have seen around(I will try and find some) that allow you to change setting
even change the messages that are displayed on some HP printers
Christopher Wilson
Computing Services
Nipissing University
chrisw () mail unipissing ca
Tel: (705) 474 3450 ext 4377
Fax: (705) 474 1947
"Bukys, Liudvikas" <bukys () rochester edu> 05/13/2002 12:00:25 PM >>>
--------
REGARDING:
- ONGOING "F***ing University of Rochester" defacement and destruction
- OLD Fluxay SQL & NETBIOS attacks
- NEW Port 3389 WTS attacks & HP LaserJet defacements/reconfigurations
---
I am continuing to hear about newly-hacked sites, that have experienced
identical attacks, using MS SQL Server holes and a "rochester.bat"
script previously discussed on the "incidents" list, to delete most
files, and, if there is an IIS web server installed, replace its home
page with text reading "F***ing University of Rochester" (please excuse
the language).
Victims to date have included several systems at UC Santa Cruz, a U Penn
Cancer Center third-party hosted web site, a headhunting firm, and publishing
firm.
*** If any more sites are hacked in this fashion, I would appreciate hearing
about it -- please send email to abuse () rochester edu ***
---
Many of you have been experiencing similar sets of attacks via SQL, NETBIOS,
and various other ports. The University of Rochester experience includes these
common features:
* Scanning for and exploitation of Microsoft SQL server weak or blank
'sa' passwords (port 1433)
* Scanning for and explotation of weak passwords on Windows
administrator accounts (netbios ports 137-139, 445, 524)
* installation of back door software on compromised machines (typically
RemoteNC or FluxaySensor)
* Most common tool for the above has been Fluxay from
www.netxeyes.com/down.html. It offers very easy one-click
exploitation and back-door installation.
---
IN ADDITION, the same attackers have been exploiting or trying to
exploit the following. I point them out separately because there has
not been much discussion yet about port 3389 exploits in particular, so
I am keenly interested in getting more information (and in alerting the
rest of you).
* Scanning for and exploitation of something in Windows Terminal Server
(port 3389). Exploit tool and attack method unknown. (Please all if
evidence turns up.)
* Defacement and reconfiguration of HP LaserJet printers (ports 23,
9100, 80), addresses set to collide with production web and dns
servers. Expoit tool and attack method unknown. We have at least
one claim that a printer with up-to-date firmware and a password set
still got exploited, so perhaps it's not all weak passwords.
*** If you see similar attacks, I would be grateful for additional
information you could provide regarding the attackers (e.g. source of
attack, for correlation purposes), and their methods (e.g. copies of
attack tools left behind). I would especially welcome information on
the port 3389 mystery exploit. ***
---
Liudvikas Bukys
Associate Vice Provost for Computing
Office of CIO
University of Rochester
bukys () rochester edu
716-275-7747
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Re: [unisog] Windows Systems Defaced/destroyed, plus Port 3389 attacks Chris Wilson (May 13)
|
Intro
