Security Incidents: Re: Windows Systems Defaced

[Alphonse MacDonald <amacdonald () islandpress org>]

In-Reply-To: <BKEPKKMHGCKPBIKCIBGNGEPJCAAA.zenone () cats ucsc edu>

Island Press was similarly defaced, it appears access 
occured at 5:08 on May 8th and was achieved via the MS SQL 
server sa password. We did not have IIS running but had 
enough files removed to require a complete rebuild. We 
also believed all systems to have been properly patched.

Were any of the other servers attacked behind a firewall 
or were they all visible?

Alphonse 
> From: "Steve Zenone" <zenone () cats ucsc edu>
> To: <incidents () securityfocus com>
> Cc: <thompson () isc upenn edu>
> Subject: RE: Windows Systems Defaced
> Date: Thu, 2 May 2002 20:23:56 -0700
> > Hello,
> Stephen W. Thompson wrote:
> |> Have any of you seen similar activity? Any thoughts?
> |
> |Yes, we had one that matches most of your details.  These
> |are exact matches:
> |
> |>  [] Damage occurred around 1600 on 5/1/2002
> |BUT=3D>   (approx. 16:00 EDT for us)
> |>  [] Win-popup message with "F---ing University of 
Rochester"
> |>       -- NOTE: not all systems running IIS
> |>  [] Admins claimed that all systems were patched 
correctly
> |>  [] Most were running updated and current AV
>
> Thank you very much for your reply - it definitely helps!
>
> We have been seeing MS-SQL (1433/tcp) attacks that try 
and execute=20
> the following:=20
>
> -----BEGIN SNIPPET-----
>    xp_cmdshell 'echo net send localhost F---ing 
University of Rochester =
> rebooting... > rochester.bat'
>
>    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
rochester.bat'
>    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
rochester.bat'
>    xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> 
rochester.bat'
>    xp_cmdshell 'at /delete /y'
>
>    xp_cmdshell 'echo if exist \inetpub\wwwroot\ type=20
> %systemroot%\rochester.html ^ 
e:\inetpub\wwwroot\index.html >>=20
> rochester.bat'
> -----END SNIPPET-----
>
> The above commands were directed to systems that were 
listening on
> port 1433/tcp and accessible from the outside. It appears 
that there
> were multiple source IPs involved in this attack.
>
> At this time, I am not completely clear on how to protect 
from this
> attack. What I've researched is that since external 
functions such=20
> as xp_cmdshell, xp_startmail, xp_sendmail, and 
xp_stopmail present=20
> possible security risks, it is recommended to drop such 
external=20
> system functions.  Else, deny EXECUTE permission on them 
to specific=20
> users/roles if dropping these procedures would break any 
of the SQL=20
> Server. I haven't tested this - but does anyone on this 
list know if
> this is a safe and effective solution?
>
> Regards,
> Steve
>
>
> ----------------------------------------------------------
------------------
> This list is provided by the SecurityFocus ARIS analyzer 
service.
> For more information on this free incident handling, 
management 
> and tracking system please see: 
http://aris.securityfocus.com
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com