Re: DDoS to microsoft sites

From: Bronek Kozicki (brok@rubikon.pl)
Date: 01/30/02 

Date: Wed, 30 Jan 2002 09:20:31 +0100
From: Bronek Kozicki <brok@rubikon.pl>
To: "Mike Lewinski" <mike@rockynet.com>

Hello

Wednesday, January 30, 2002, 12:23:51 AM, you wrote:
> A port scan of one of the infected hosts shows:

> 7 Echo
> 9 Discard
> 13 Daytime
> 17 Quote of the Day
> 19 Character Generator
> 21 File Transfer Protocol [Control]
> 25 Simple Mail Transfer
> 80 World Wide Web HTTP
> 135 DCE endpoint resolution
> 139 NETBIOS Session Service
> 443 https MCom
> 445 Microsoft-DS
> 548 AFP over TCP
> 1025 network blackjack
> 1026
> 1027 ICQ?
> 1433 Microsoft-SQL-Server
> 5631 pcANYWHEREdata

> The client claims that they are not running Appletalk (548) but I'm not sure
> whether to believe. We haven't been able to get console access to that
> machine to do any further investigation (but have blocked it upstream). Of
> the above services, most look legit from what I can tell with the exception
> of 548 and 1025-1027

Most probably your client has been rooted. Among above services,
following are especially easy to hack:
- netbios (brute force attack on Administrator account)
- http (whole lot of exploits, running on nonpatched IIS)
- sql-server (default empty password for 'sa' account; brute force
attack if password is not empty)

I think you client have no idea what's going on their servers, and
they will keep claiming that "everything is fine" till they find their
data at the competition site :/ From above list its almost obvious
that they do not have a clue about security and should not be
connected to the Internet.

Kind regards,

B.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • [UNIX] Alteon ACEdirector Signature/Security Bug
    ... A new security bug has been discovered in the Nortel Alteon ACEdirector ... HTTP clients could exploit it to determine the IP addresses of ostensibly ... "hidden" web servers that are load-balanced by the ACEdirector. ... uses it to persistently map a series of HTTP client requests to the same ...
    (Securiteam)
  • Alteon ACEdirector signature/security bug
    ... This is to inform you of a bug in the Nortel Alteon ACEdirector ... balance incoming HTTP requests made to one virtual IP address ... amongst the real IP addresses of multiple HTTP servers. ... series of HTTP client requests to the the same one of the real HTTP ...
    (Bugtraq)
  • Re: Encrypted or Not Encrypted
    ... Client software renders the form. ... to schema, it initiates ssl handshake. ... The agent acting as the HTTP client should also act as the TLS ...
    (Security-Basics)
  • Re: Firewall session disconnects after 2 minutes of inactivity
    ... I want to start by pointing out the following: HTTP keep-alives and anything ... involved in the early stage of the connection when the client downloads the ... The HOD server I mean. ... when the session takes place through the ISA Server? ...
    (microsoft.public.isa)
  • Re: Mcafee FTP Mirror Sites and ISA Server 2004 Authentication
    ... Client IP: ... Destination IP: ... Protocol: http ... Action: Failed Connection Attempt ...
    (microsoft.public.isa)