Re: Re: DDoS to microsoft sites

From: Mike Lewinski (mike@rockynet.com)
Date: 01/31/02 

From: "Mike Lewinski" <mike@rockynet.com>
To: <incidents@securityfocus.com>
Date: Thu, 31 Jan 2002 08:12:00 -0700

<auto241065@hushmail.com> asks:

> On Wed, 30 Jan 2002 08:59:18 -0700, Mike Lewinski <mike@rockynet.com>
wrote:
> >I'm guessing that the SQL server is the infection vector in both these
> >cases, but equally suspect that the exploit is from the vulnerability in
> >@stake's recent MS-SQL advisory:
> >http://www.atstake.com/research/advisories/2001/a122001-1.txt
>
> What makes you suspect this vulnerability was exploited? Are you able to
post a packet capture or any other logs?

It's just a hunch, based on the likelihood that if this were a new IIS worm
we would have seen more than 2 infections here [0].

I did get confirmation that one of the boxes in the current incident had an
empty 'sa' SQL password, so it could also be the W32/SQLWorm that someone
pointed out to me privately:

http://www.geek.com/news/geeknews/2001nov/gee20011123008988.htm

I don't have any packet captures, because we blocked it upstream as soon as
we identified the sources of the attack (which were not spoofed, fwiw- a
possible sign that this DDoS has enough zombies that it doesn't matter). I
doubt our clients will be able to do a proper forensics exam. We've strongly
encouraged both to reformat and reinstall, but I'll ask if we can get copies
of any infected files or rootkit tracks. I doubt they've done any
post-mortem (odds are that one will ignore the reinstall advice so maybe
I'll get a second shot at it...)

Mike

[0] Both Code Red and NIMDA hit more than 20 systems (there were repeat
lusers, but not all). NIMDA spread amazingly fast, so much that I believe
all vulnerable machines on our client networks were infected within 10-15
minutes of each other (has anyone investigated the possibility it was a
warhol worm initially? Those clients are spread out over many unique
netblocks.)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Warning. New Windows vulnerabilty.
    ... security center warning by putting a popup in systray that says your ... see how this new vulnerability will affect users, ... It is carried on Windows Metafile images and automatically ... >> currently recommend to reduce the hazard of infection may not work. ...
    (rec.audio.pro)
  • Re: Warning. New Windows vulnerabilty.
    ... >security center warning by putting a popup in systray that says your ... >see how this new vulnerability will affect users, ... It is carried on Windows Metafile images and automatically ... >>> currently recommend to reduce the hazard of infection may not work. ...
    (rec.audio.pro)
  • Warning. New Windows vulnerabilty.
    ... In short - wmf files can carry viruses. ... Infection will occur if your email application allows a *preview* of a ... It is carried on Windows Metafile images and automatically ... Going back to the wmf vulnerability itself, ...
    (rec.audio.pro)
  • Idea for proactive worm protection
    ... Last saturday I finally got fed up with the worms and wrote a perl script. ... preventive action (not infection or infection attempt but vulnerability is ... I recommended them to block Internet access to the machines ... modified the script that after 2 days of continuous vulnerability it changes ...
    (Bugtraq)
  • Re: Download.Trojan Virus
    ... The single infected machine I saw was before this reference was published, ... and suspect that the problem is broader than this one example. ... Trojan Virus ... > | Then I ran A scan and it found no infection. ...
    (microsoft.public.security.virus)