Re: DDoS to microsoft sites

[Bronek Kozicki <brok () rubikon pl>]

Hello

Wednesday, January 30, 2002, 12:23:51 AM, you wrote:
> A port scan of one of the infected hosts shows:

>      7  Echo
>      9  Discard
>     13  Daytime
>     17  Quote of the Day
>     19  Character Generator
>     21  File Transfer Protocol [Control]
>     25  Simple Mail Transfer
>     80  World Wide Web HTTP
>    135  DCE endpoint resolution
>    139  NETBIOS Session Service
>    443  https  MCom
>    445  Microsoft-DS
>    548  AFP over TCP
>   1025  network blackjack
>   1026
>   1027  ICQ?
>   1433  Microsoft-SQL-Server
>   5631  pcANYWHEREdata

> The client claims that they are not running Appletalk (548) but I'm not sure
> whether to believe. We haven't been able to get console access to that
> machine to do any further investigation (but have blocked it upstream). Of
> the above services, most look legit from what I can tell with the exception
> of 548 and 1025-1027

Most probably your client has been rooted. Among above services,
following are especially easy to hack:
- netbios (brute force attack on Administrator account)
- http (whole lot of exploits, running on nonpatched IIS)
- sql-server (default empty password for 'sa' account; brute force
attack if password is not empty)

I think you client have no idea what's going on their servers, and
they will keep claiming that "everything is fine" till they find their
data at the competition site :/ From above list its almost obvious
that they do not have a clue about security and should not be
connected to the Internet.

Kind regards,

B.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com