[unisog] new virus?

BACHAND, Dave (Info. Tech. Services) BachandD at easternct.edu
Thu Feb 24 17:10:39 GMT 2005


I did run a Nessus scan against the box later yesterday.  The SA
password was indeed blank.  You just can't get good help these days :-)

What was and still is giving me pause however was that the virus in
question was definitely doing a password hack against a variety of
usernames, IE admin, SA, root etc.  But what we detected was a virus
that McAfee said was using an LSASS vulnerability, which I'm fairly
certain the machine was patched for.   I checked the patch logs, and the
MS04-011 patch had been in place since it came out.

Ideas?

++++++++++++++++++++++++++++++++++++++++++++
Dave Bachand
Data Network Manager
Information Technology Services
Eastern Connecticut State University
83 Windham Street
Willimantic, CT
Tel. (860)465-5376
++++++++++++++++++++++++++++++++++++++++++++

-----Original Message-----
From: unisog-bounces at lists.sans.org
[mailto:unisog-bounces at lists.sans.org] On Behalf Of Jordan Wiens
Sent: Thursday, February 24, 2005 10:47 AM
To: UNIversity Security Operations Group
Subject: Re: [unisog] new virus?

On Wed, 23 Feb 2005, BACHAND, Dave (Info. Tech. Services) wrote:

> We've recently had a minor outbreak (if there is such a thing) of a 
> virus that I'm having a hard to putting my finger on.
>
> McAfee shows it as being an SDBOT variant.  But, it only attacks SQL 
> servers.  it seems to be doing some sort of a login attempt/attack.  
> My SQL sysadmin swears that the SA password wasn't blank, and there 
> were no SQL patches missing.

Most of the *bots (sdbot,gaobot,agobot,whatever) are controlled via irc
(as mentioned by another poster), and are manually controlled and told
to spread.  It's quite likely the bots could attack in other ways it
just so happens that that particular botnet controller is using mssql
for now.

Just for reference, I had an admin who had an mssql server that he swore
did not have a blank SA password.  Nessus kept saying he did.  I finally
connected remotely via the mssql manager without a password.  Then he
believed me; though it took him three tries to successfully get a
password on the account.

That may not have been the cause in your situation, but it's much more
likely than an mssql 0-day.

--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
_______________________________________________
unisog mailing list
unisog at lists.sans.org
http://www.dshield.org/mailman/listinfo/unisog




More information about the unisog mailing list