[Dshield] RE: Dshield digest, Vol 1 #593 - 3 msgs

Carpenter, Shawn scarpe at sandia.gov
Mon May 6 18:17:11 GMT 2002

Hash: SHA1

Johannes -

We've seen these MS SQL scans since late November 2001.  There has
been a worm active since late November 2001 that attempts to
propagate itself to other machines with the same vulnerability
(http://www.kb.cert.org/vuls/id/635463).  Certain releases of
Microsoft SQL server have default installs that have a null system
administrator accout (SA).  It is trivial to gain entry to a system
in this configuration; attackers can execute code at the priviledge
level of the SA user account.  It doesn't take a whole lot of work to
elevate their priviledges once they're in anyways. 

It's a very real threat, and crackers/hackers are starting to really
take advantage of this.  If you observe sequential scans of subnets
at random intervals, it's probably the Kaiten worm (aka W32/CBlade,
W32/Voyager, and Voyager Alpha Force).

Shawn Carpenter
Computer Security Operations
Sandia National Laboratories
scarpe at sandia.gov


- -----Original Message-----
From: list-request at dshield.org [mailto:list-request at dshield.org]
Sent: Saturday, May 04, 2002 10:04 AM
To: list at dshield.org
Subject: Dshield digest, Vol 1 #593 - 3 msgs

Send Dshield mailing list submissions to
	list at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
	list-request at dshield.org

You can reach the person managing the list at
	list-admin at dshield.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Dshield digest..."

Today's Topics:

   1. RE: Problem with outlook express inbox.dbx (Malcolm Joosse)
   2. Klez question (Paul Marsh)
   3. MSSQL scans (Johannes B. Ullrich)

- --__--__--

Message: 1
Subject: RE: [Dshield] Problem with outlook express inbox.dbx
Date: Fri, 3 May 2002 13:40:14 +1000
From: "Malcolm Joosse" <malcolm at hotlinesupport.com>
To: <list at dshield.org>
Reply-To: list at dshield.org

I just had a client call with the same problem

- -----Original Message-----
From: list-admin at dshield.org [mailto:list-admin at dshield.org]On Behalf
Sent: Thursday, May 02, 2002 7:17 PM
To: Dshield
Subject: [Dshield] Problem with outlook express inbox.dbx

Hi All,

I've a problem with my outlook express inbox.dbx, I cant see any
but it say the capacity is 1.91GB.
I've tried with the Inbox repair tool on Windows NT but still I can't
any of my mails, they are not visible at all........

Anybody have got any ideas?



Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:

- --__--__--

Message: 2
From: Paul Marsh <pmarsh at nmefdn.org>
To: "'Dshield (E-mail)" <list at dshield.org>
Date: Fri, 3 May 2002 11:03:10 -0400 
Subject: [Dshield] Klez question
Reply-To: list at dshield.org

I finally got around to installing Scanmail and configed it to strip
.bat's, .pif's and .scr's.  Today I noticed a Klez attachment that
through because the files extension was appended with .txt so as far
Scanmail was concerned the attachment was OK for delivery.  Have I
just been
sleeping or is this a new gig for Mr. Klez?

TIA, Paul 

[[ Attachement of type text/html deleted]]

- --__--__--

Message: 3
Date: Fri, 3 May 2002 21:00:41 -0400 (EDT)
From: "Johannes B. Ullrich" <jullrich at sans.org>
To: list at dshield.org
Subject: [Dshield] MSSQL scans
Reply-To: list at dshield.org

  My (preliminary) conclusion on the big jump in mssql scans is
that we have a very small number of sources, who scan one IP
after another for mssql. So far, I don't have any data to
point to a particular exploit or such. All the packets I have
are just syn's (none of the people submitting packets for this
had something listening). It could be someone scanning for
unpatched SQL servers, or someone building a target list for
a new exploit they have up their sleve. But so far, there is
no 'worm indication' and there is no captured exploit code.

- -- 
- -------
jullrich at euclidian.com               Join http://www.DShield.org
                          Distributed Intrusion Detection System

- --__--__--

Dshield mailing list
Dshield at dshield.org

End of Dshield Digest

Version: PGP 7.1


More information about the list mailing list