Security Incidents mailing list archives

RE: DDoS to microsoft sites

From: "Adcock, Matt" <Matt.Adcock () gsccca org>
Date: Wed, 30 Jan 2002 12:47:09 -0500

The fact that ports are listening for SQL traffic, NetBIOS traffic, and HTTP
requests ***have absolutely nothing to do with being rooted**.  According to
your logic, the only way to make a secure machine is to shut everything off.
That's absolutely ridiculous.  Guess what, these servcies are on lots of
Windows machines, including mine, but are protected by firewalls.

I'd really like for you to explain to me how a Windows network will run
without NetBIOS.  Try shutting it down sometime - you'll break your Windows
network, even 2000.  I'd also like for you to explain to me how you can
brute force attack admin accounts just because NetBIOS is open.

Matt

-----Original Message-----
From: Bronek Kozicki [mailto:brok () rubikon pl]
Sent: Wednesday, January 30, 2002 3:21 AM
To: Mike Lewinski
Cc: incidents () securityfocus com
Subject: Re: DDoS to microsoft sites


Hello

Wednesday, January 30, 2002, 12:23:51 AM, you wrote:

A port scan of one of the infected hosts shows:

     7  Echo
     9  Discard
    13  Daytime
    17  Quote of the Day
    19  Character Generator
    21  File Transfer Protocol [Control]
    25  Simple Mail Transfer
    80  World Wide Web HTTP
   135  DCE endpoint resolution
   139  NETBIOS Session Service
   443  https  MCom
   445  Microsoft-DS
   548  AFP over TCP
  1025  network blackjack
  1026
  1027  ICQ?
  1433  Microsoft-SQL-Server
  5631  pcANYWHEREdata

The client claims that they are not running Appletalk (548) but I'm not

sure

whether to believe. We haven't been able to get console access to that
machine to do any further investigation (but have blocked it upstream). Of
the above services, most look legit from what I can tell with the

exception

of 548 and 1025-1027


Most probably your client has been rooted. Among above services,
following are especially easy to hack:
- netbios (brute force attack on Administrator account)
- http (whole lot of exploits, running on nonpatched IIS)
- sql-server (default empty password for 'sa' account; brute force
attack if password is not empty)

I think you client have no idea what's going on their servers, and
they will keep claiming that "everything is fine" till they find their
data at the competition site :/ From above list its almost obvious
that they do not have a clue about security and should not be
connected to the Internet.

Kind regards,

B.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

DDoS to microsoft sites Mike Lewinski (Jan 29)
- Re: DDoS to microsoft sites Bronek Kozicki (Jan 30)
  - Re: DDoS to microsoft sites Mike Lewinski (Jan 30)
- Re: DDoS to microsoft sites Hugo van der Kooij (Jan 30)
- <Possible follow-ups>
- RE: DDoS to microsoft sites John Campbell (Jan 30)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
  - RE: DDoS to microsoft sites H C (Jan 30)
  - RE: DDoS to microsoft sites Jason Robertson (Jan 31)
- RE: DDoS to microsoft sites Adcock, Matt (Jan 30)
  - RE: DDoS to microsoft sites Dave Ockwell-Jenner (Jan 30)
- Re: Re: DDoS to microsoft sites Mike Lewinski (Jan 31)