RE: DDoS to microsoft sites

From: Adcock, Matt (Matt.Adcock@gsccca.org)
Date: 01/30/02 

From: "Adcock, Matt" <Matt.Adcock@gsccca.org>
To: "'Mike Lewinski'" <mike@rockynet.com>, incidents@securityfocus.com
Date: Wed, 30 Jan 2002 12:52:05 -0500

I believe both tcp/6667 and tcp/6668 are both used for IRC. It would make
sense that these are network aware. I know other IMs are.

Matt

-----Original Message-----
From: Mike Lewinski [mailto:mike@rockynet.com]
Sent: Wednesday, January 30, 2002 10:59 AM
To: incidents@securityfocus.com
Subject: Re: DDoS to microsoft sites

We were able to get a port scan of the other client's infected box, and it
too was running IIS and MS-SQL. However, in addition it also had tcp
6667/6668 open. Ironically, this same client's server was running Linux two
years ago, and intruders installed an eggdrop bot there. I believe that
incident (which totaled their machine before any data recovery was possible)
caused them to look to a Microsoft solution.

The primary difference between the two clients is that the first port scan I
sent in was done via a crossover cable (meaning the rooted box had been
unplugged from the network). So I suspect that whatever it is detects
disconnection of network media and terminates itself.

"Bronek Kozicki" <brok@rubikon.pl> writes:

> Most probably your client has been rooted. Among above services,
> following are especially easy to hack:
> - netbios (brute force attack on Administrator account)

The 2nd client had their netbios ports locked down. I believe it was behind
a very basic packet filter. Assuming that both machines were compromised by
the same tool, I don't think that this was the vector.

> - http (whole lot of exploits, running on nonpatched IIS)

I believe that both boxes had enough patches applied to withstand ongoing
Code Red/Nimda attacks for many months. We typically find out when our
clients install a new IIS server and don't patch it within a day or two
(which is simply the lag time between the initial infection and first
report-- they usually only last a couple hours at best).

> - sql-server (default empty password for 'sa' account; brute force
> attack if password is not empty)

I'm guessing that the SQL server is the infection vector in both these
cases, but equally suspect that the exploit is from the vulnerability in
@stake's recent MS-SQL advisory:
http://www.atstake.com/research/advisories/2001/a122001-1.txt

> From above list its almost obvious
> that they do not have a clue about security and should not be
> connected to the Internet.

This is probably true for 80% of our clients, and the same goes for the rest
of the Internet. Removing all the clueless users would promptly bankrupt the
Tier 1 providers who don't have alternate sources of income and cause The
End of the Internet ;) 

--

Because I'm sure that the following sentiment is shared elsewhere on the
list, I want to also respond to a private message I received in regards to
Microsoft being attacked:

>  Is this supposed to be a bad thing?

We typically notice this type of activity because:

a) It's impacting our operations (i.e. link saturation, router resource
depletion)
b) It's increasing our bandwidth costs

So yes, this was a bad thing, and we blocked it as soon as we were able to
identify the sources.

Mike

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: How to add static routes to ISA Server
    ... I think that the route add should be: ... you want it to represent the whole network and also the subnet should be ... If you want to make your VPN clients like internal users, ... internal network" and "Internet access") so your VPN clients will be ...
    (microsoft.public.isa)
  • Re: [Fedora] Re: Wireless Access Point
    ... I can't enforce that on all of our clients. ... clients which in effect would not allow them to get to any network other ... I just need to figure out how to tell it to have connecting clients fetch an IP from the linux server once I turn off it's internal DHCP. ... However, if one of our employees were to bring in their laptop, they can connect to the same WAP and would be able to see everything "through" that server and access everything on the network (and internet.) So there's some configuration that I need to figure out on the linux server to start with. ...
    (Fedora)
  • Yahoo, Microsoft, Google under attack
    ... >distributes them online called an attack. ... whose network of servers mirror some ... >attack and its scope, deferring questions to Akamai. ... >or other Internet infrastructure companies that might ...
    (microsoft.public.security)
  • RE: Security Logon Issues Using SBS 2003
    ... besides the normal network logon failure which may be caused by ... The attack can be initiated from internal network or external ... Microsoft can make no representation concerning ... dangers in the use of any software found on the Internet, ...
    (microsoft.public.windows.server.sbs)
  • Re: Error 0x80072030 returned from call to GetBOConnector()
    ... I do not use PPoE clients on my servers. ... >the internet but the clients do not. ... I was just going to run the wizard again ... >> Generally you have one nic for the internal network. ...
    (microsoft.public.windows.server.sbs)