Security Incidents mailing list archives
Somewhat Interesting NIPC Alert
From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Thu, 8 Mar 2001 13:53:36 -0700
NIPC ADVISORY 01-003 This advisory is an update to the NIPC Advisory 00-060, "E- Commerce Vulnerabilities", dated December 1, 2000. Since the advisory was published, the FBI has continued to observe hacker activity targeting victims associated with e-commerce or e- finance/banking businesses. In many cases, the hacker activity had been ongoing for several months before the victim became aware of the intrusion. The NIPC emphasizes the recommendation that all computer network systems administrators check relevant systems and consider applying the updated patches as necessary, especially for systems related to e-commerce or e- banking/financial businesses. The patches are available on Microsoft=s web site, and users should refer to the URLs listed below. The following vulnerabilities have been previously reported: Unauthorized Access to IIS Servers through Open Database Connectivity (ODBC) Data Access with Remote Data Service (RDS): Systems Affected: Windows NT running IIS with RDS enabled. Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes 99-22 http://www.microsoft.com/technet/security/bulletin/ms99-025.asp http://www.nipc.gov/warnings/advisories/1999/99-027.htm, http://www.nipc.gov/cybernotes/cybernotes.htm Summary: Allows unauthorized users to execute shell commands on the IIS system as a privileged use; Allows unauthorized access to secured, non-published files on the IIS system; On a multi-homed Internet-connected IIS systems, using Microsoft Data Access Components (MDAC), allows unauthorized users to tunnel Structured Query Language (SQL) and other ODBC data requests through the public connection to a private back-end network. SQL Query Abuse Vulnerability Affected Software Versions: Microsoft SQL Server Version 7.0 and Microsoft Data Engine (MSDE) 1.0 Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes 20-05 http://www.microsoft.com/technet/security/bulletin/ms00-014.asp http://www.nipc.gov/cybernotes/cybernotes.htm Summary: The vulnerability could allow the remote author of a malicious SQL query to take unauthorized actions on a SQL Server or MSDE database. Registry Permissions Vulnerability Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0 Server Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes 20-08 and 20-22 http://www.microsoft.com/technet/security/bulletin/ms00-008.asp http://www.nipc.gov/cybernotes/cybernotes.htm Summary: Users can modify certain registry keys such that: a malicious user could specify code to launch at system crash a malicious user could specify code to launch at next login an unprivileged user could disable security measures Web Server File Request Parsing While they have not been shown to be a vector for the current attacks, Microsoft has advised us that the vulnerabilities addressed by Microsoft bulletin MS00-086 are very serious, and we encourage web site operators to consider applying the patch provided with this bulletin as well as the three that are under active exploitation. http://www.microsoft.com/technet/security/bulletin/ms00-014.asp http://www.nipc.gov/cybernotes/cybernotes.htm Summary: The vulnerability could allow a malicious user to run system commands on a web server. New Information: In addition to the above exploits, several filenames have been identified in connection with the intrusions, specific to Microsoft Windows NT systems. The presence of any of these files on your system should be reviewed carefully because they may indicate that your system has been compromised: ntalert.exe sysloged.exe tapi.exe 20.exe 21.exe 25.exe 80.exe 139.exe 1433.exe 1520.exe 26405.exe i.exe In addition, system administrators may want to check for the unauthorized presence of any of the following executable files, which are often used as hacking tools: lomscan.exe mslom.exe lsaprivs.exe pwdump.exe serv.exe smmsniff.exe Recipients of this Advisory are encouraged to report computer crime to the NIPC Watch at (202) 323-3204/3205/3206. Incidents may also be reported online at www.nipc.gov/incident/cirr.htm. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (BSD/OS) Comment: For info see http://www.gnupg.org iD8DBQE6p+mz+LUG5KFpTkYRApVrAKCd6rT++htahvzbxsIkbqMVa74fuACcDKaQ wsjk3kVpcNQP2fPrMR9IQSw= =WIaD -----END PGP SIGNATURE-----
Current thread:
- Somewhat Interesting NIPC Alert Alfred Huger (Mar 08)