SecurityFocus has identified a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms.
SecurityFocus ARIS Incident Analysts identified a rapidly growing network of controlled agents or "bots", increasing 600% in the last 6 hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft™ SQL server systems (plus servers that have not been patched with the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092) by scanning the System Administrator accounts that contain a password specified by the attacker.
SecurityFocus recommendations:
Additionally, the SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them.
News source: SecurityFocus Announcement
SecurityFocus ARIS Incident Analysts identified a rapidly growing network of controlled agents or "bots", increasing 600% in the last 6 hours, which can be used to launch a DDoS attack. The tool is propagated through incorrectly configured Microsoft™ SQL server systems (plus servers that have not been patched with the "Extended Stored Procedure Parameter Parsing" vulnerability discussed in Microsoft Security Bulletin MS00-092) by scanning the System Administrator accounts that contain a password specified by the attacker.
SecurityFocus recommendations:
- Verify that the System Administrator "sa" account does not have a blank password if running Microsoft SQL server
- Use a firewall to block port 1433
Additionally, the SQL Worm reportedly propagates itself by scanning for systems that have opened port 1433. When it finds a system that has the port open, it downloads the files dnsservice.exe,win 32mon.exe, and win32bnc.exe from foo.com (IP Address 207.29.192.160) and starts them.
News source: SecurityFocus Announcement
Name - [REMOVED]
Credit Card Number & Expiry [REMOVED]
your details are currently circulating the underworld of anarchists and credit card fraudsters, so we highly recommend that you contact your bank before much fraud is committed. we have also distributed over a million e-mail addresses to marketing and 'spam' organisations, so you will certainly have a lot of fun deleting unwanted e-mail into the future!
online companies can learn many lessons from this compromise -
1. do not use the same root or administrative (oracle, webserv, etc.) user passwords across different hosts on the same network.
2. never assume that by installing the latest security patches and installing ssh, that you are secure.
3. do not use insecure authentication methods, including nis, nis+ or ..rhosts.
4. do not protect your passwords with des in your shadow files, use md5.
end users can learn an important lesson from this compromise -
do not trust companies with your details online.
its been emotional.
its been emotional. we'd like to thank the playboy systems team for providing us with an interesting and challenging target. i'm sure that a big security company will make easy money auditing their systems and hopefully deploying a more secure network - although we'll be back to test it again.
- m4rty
martyn luther ping
minister of information
ingreslock 1524 µ
News source: The Inquirer - Hackers memo to Playboy users
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.