Re: DDoS to microsoft sites

["Mike Lewinski" <mike () rockynet com>]

We were able to get a port scan of the other client's infected box, and it
too was running IIS and MS-SQL. However, in addition it also had tcp
6667/6668 open. Ironically, this same client's server was running Linux two
years ago, and intruders installed an eggdrop bot there. I believe that
incident (which totaled their machine before any data recovery was possible)
caused them to look to a Microsoft solution.

The primary difference between the two clients is that the first port scan I
sent in was done via a crossover cable (meaning the rooted box had been
unplugged from the network). So I suspect that whatever it is detects
disconnection of network media and terminates itself.

"Bronek Kozicki" <brok () rubikon pl> writes:

> Most probably your client has been rooted. Among above services,
> following are especially easy to hack:
> - netbios (brute force attack on Administrator account)

The 2nd client had their netbios ports locked down. I believe it was behind
a very basic packet filter. Assuming that both machines were compromised by
the same tool, I don't think that this was the vector.

> - http (whole lot of exploits, running on nonpatched IIS)

I believe that both boxes had enough patches applied to withstand ongoing
Code Red/Nimda attacks for many months. We typically find out when our
clients install a new IIS server and don't patch it within a day or two
(which is simply the lag time between the initial infection and first
report-- they usually only last a couple hours at best).

> - sql-server (default empty password for 'sa' account; brute force
> attack if password is not empty)

I'm guessing that the SQL server is the infection vector in both these
cases, but equally suspect that the exploit is from the vulnerability in
@stake's recent MS-SQL advisory:
http://www.atstake.com/research/advisories/2001/a122001-1.txt

> From above list its almost obvious
> that they do not have a clue about security and should not be
> connected to the Internet.

This is probably true for 80% of our clients, and the same goes for the rest
of the Internet. Removing all the clueless users would promptly bankrupt the
Tier 1 providers who don't have alternate sources of income and cause The
End of the Internet ;)

--

Because I'm sure that the following sentiment is shared elsewhere on the
list, I want to also respond to a private message I received in regards to
Microsoft being attacked:

>  Is this supposed to be a bad thing?

We typically notice this type of activity because:

a) It's impacting our operations (i.e. link saturation, router resource
depletion)
b) It's increasing our bandwidth costs

So yes, this was a bad thing, and we blocked it as soon as we were able to
identify the sources.

Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com