Security Incidents mailing list archives
Re: Re: DDoS to microsoft sites
From: "Mike Lewinski" <mike () rockynet com>
Date: Thu, 31 Jan 2002 08:12:00 -0700
<auto241065 () hushmail com> asks:
On Wed, 30 Jan 2002 08:59:18 -0700, Mike Lewinski <mike () rockynet com>
wrote:
I'm guessing that the SQL server is the infection vector in both these cases, but equally suspect that the exploit is from the vulnerability in @stake's recent MS-SQL advisory: http://www.atstake.com/research/advisories/2001/a122001-1.txtWhat makes you suspect this vulnerability was exploited? Are you able to
post a packet capture or any other logs? It's just a hunch, based on the likelihood that if this were a new IIS worm we would have seen more than 2 infections here [0]. I did get confirmation that one of the boxes in the current incident had an empty 'sa' SQL password, so it could also be the W32/SQLWorm that someone pointed out to me privately: http://www.geek.com/news/geeknews/2001nov/gee20011123008988.htm I don't have any packet captures, because we blocked it upstream as soon as we identified the sources of the attack (which were not spoofed, fwiw- a possible sign that this DDoS has enough zombies that it doesn't matter). I doubt our clients will be able to do a proper forensics exam. We've strongly encouraged both to reformat and reinstall, but I'll ask if we can get copies of any infected files or rootkit tracks. I doubt they've done any post-mortem (odds are that one will ignore the reinstall advice so maybe I'll get a second shot at it...) Mike [0] Both Code Red and NIMDA hit more than 20 systems (there were repeat lusers, but not all). NIMDA spread amazingly fast, so much that I believe all vulnerable machines on our client networks were infected within 10-15 minutes of each other (has anyone investigated the possibility it was a warhol worm initially? Those clients are spread out over many unique netblocks.) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
- Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites H C (Jan 30)
- RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
- RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)