[Snort-users] IDS signatures for alert released by SANS/CIS today? (03/08/01)
shawn . moyer
shawn at ...1184...
Thu Mar 8 17:50:48 EST 2001
Yeah, we got that. :)
[root at ...1202... /root]# cat /etc/snort.rules | grep -i msadc
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 529
alert tcp $EXTERNAL_NET any -> $HOME_NET 80
> Howdy all,
> I participated in the CIS conference call that took place this
> afternoon and one of the questions was what IDS's offer signatures for
> these exploits? No one was able to answer the question and Alan Paller
> said he would be in touch with Marty to inquire about Snort's
> capabilities. Sadly I could not provide any info...*head hanging*
> Anyway, I wanted to give you all a heads up - see the announcement
> Large Criminal Hacker Attack on Windows NT E-Banking and E-
> Commerce Sites
> 2:10 PM EST March 08, 2001
> In the largest criminal Internet attack to date, a group of
> Eastern European hackers has spent a year systematically
> exploiting known Windows NT vulnerabilities to steal customer
> data. More than a million credit cards have been taken and more
> than 40 sites have been victimized.
> The FBI and Secret Service are taking the unprecedented step of
> releasing detailed forensic information from ongoing
> investigations because of the importance of the attacks.
> This note is being sent to SANS Institute alumni before the
> information becomes public so you can check and patch your
> systems before copycat criminals appear.
> The Center for Internet Security will be releasing a tool that
> automatically checks your systems for the vulnerabilities and
> also looks for files the FBI has found present on many
> compromised systems.
> The Center's tools are normally available only to members, but
> because of the importance of the problem, the Center agreed to
> make it available to all who need it. Center members have
> already received an invitation to the conference call this
> afternoon to get more data on the attack. If your organization is
> not a member, we encourage you to join in this important
> initiative to fight back against computer crime. See
> www.cisecurity.org for a list of members and how to join.
> Here's the data available so far.
> Over the past several months, the National Infrastructure
> Protection Center (NIPC) has been coordinating investigations
> into a series of organized hacker activities specifically
> targeting U.S. computer systems associated with e-commerce or e-
> banking. Despite previous advisories, many computer owners have
> not patched their systems, allowing these kinds of attacks to
> continue, and prompting this updated release of information.
> More than 40 victims located in 20 states have been identified
> and notified in ongoing investigations in 14 Federal Bureau of
> Investigation Field Offices and 7 United States Secret Service
> Field Offices. These investigations have been closely
> coordinated with foreign law enforcement authorities, and the
> private sector. Specially trained prosecutors in the Computer
> and Telecommunication Coordinator program in U.S. Attorneys'
> Offices in a variety of districts have participated in the
> investigation, with the assistance of attorneys in the Computer
> Crime and Intellectual Property Section at the Department of
> The investigations have disclosed several organized hacker groups
> from Eastern Europe, specifically Russia and the Ukraine, that
> have penetrated U.S. e-commerce computer systems by exploiting
> vulnerabilities in unpatched Microsoft Windows NT operating
> systems. These vulnerabilities were originally reported and
> addressed in Microsoft Security Bulletins MS98-004 (re-released
> in MS99-025), MS00-014, and MS00-008. As early as 1998,
> Microsoft discovered these vulnerabilities and developed and
> publicized patches to fix them. Computer users can download
> these patches from Microsoft for free.
> Once the hackers gain access, they download proprietary
> information, customer databases, and credit card information. The
> hackers subsequently contact the victim company through
> facsimile, email, or telephone. After notifying the company of
> the intrusion and theft of information, the hackers make a veiled
> extortion threat by offering Internet security services to patch
> the system against other hackers. They tell the victim that
> without their services, they cannot guarantee that other hackers
> will not access the network and post the credit card information
> and details about the compromise on the Internet. If the victim
> company is not cooperative in making payments or hiring the group
> for their security services, the hackers' correspondence with the
> victim company has become more threatening. Investigators also
> believe that in some instances the credit card information is
> being sold to organized crime groups. There has been evidence
> that the stolen information is at risk whether or not the victim
> cooperates with the demands of the intruders. To date, more than
> one million credit card numbers have been stolen.
> The NIPC has issued an updated Advisory 01-003 at www.nipc.gov
> regarding these vulnerabilities being exploited. The update
> includes specific file names that may indicate whether a system
> has been compromised. If these files are located on your
> computer system, the NIPC Watch in Washington D.C. should be
> contacted at (202) 323-3204/3205/3206. Incidents may also be
> reported online at www.nipc.gov/incident/cirr.htm. For detailed
> information on the vulnerabilities that are being exploited,
> please refer to the NIPC Advisory 00-60, and NIPC Advisory 01-
> NIPC ADVISORY 01-003
> This advisory is an update to the NIPC Advisory 00-060, "E-
> Commerce Vulnerabilities", dated December 1, 2000. Since the
> advisory was published, the FBI has continued to observe hacker
> activity targeting victims associated with e-commerce or e-
> finance/banking businesses. In many cases, the hacker activity
> had been ongoing for several months before the victim became
> aware of the intrusion. The NIPC emphasizes the recommendation
> that all computer network systems administrators check relevant
> systems and consider applying the updated patches as necessary,
> especially for systems related to e-commerce or e-
> banking/financial businesses. The patches are available on
> Microsoft=s web site, and users should refer to the URLs listed
> The following vulnerabilities have been previously reported:
> Unauthorized Access to IIS Servers through Open Database
> Connectivity (ODBC) Data Access with Remote Data Service (RDS):
> Systems Affected: Windows NT running IIS with RDS enabled.
> Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
> Summary: Allows unauthorized users to execute shell commands on
> the IIS system as a privileged use; Allows unauthorized access to
> secured, non-published files on the IIS system; On a multi-homed
> Internet-connected IIS systems, using Microsoft Data Access
> Components (MDAC), allows unauthorized users to tunnel Structured
> Query Language (SQL) and other ODBC data requests through the
> public connection to a private back-end network.
> SQL Query Abuse Vulnerability
> Affected Software Versions: Microsoft SQL Server Version 7.0 and
> Microsoft Data Engine (MSDE) 1.0
> Details: Microsoft Security Bulletin MS00-14, NIPC CyberNotes
> Summary: The vulnerability could allow the remote author of a
> malicious SQL query to take unauthorized actions on a SQL Server
> or MSDE database.
> Registry Permissions Vulnerability
> Systems Affected: Windows NT 4.0 Workstation, Windows NT 4.0
> Details: Microsoft Security Bulletin MS00-008, NIPC CyberNotes
> 20-08 and 20-22
> Summary: Users can modify certain registry keys such that:
> " a malicious user could specify code to launch at
> system crash
> " a malicious user could specify code to launch at
> next login
> " an unprivileged user could disable security
> Web Server File Request Parsing
> While they have not been shown to be a vector for the current
> attacks, Microsoft has advised us that the vulnerabilities
> addressed by Microsoft bulletin MS00-086 are very serious, and we
> encourage web site operators to consider applying the patch
> provided with this bulletin as well as the three that are under
> active exploitation.
> Summary: The vulnerability could allow a malicious user to run
> system commands on a web server.
> New Information: In addition to the above exploits, several
> filenames have been identified in connection with the intrusions,
> specific to Microsoft Windows NT systems. The presence of any of
> these files on your system should be reviewed carefully because
> they may indicate that your system has been compromised:
> In addition, system administrators may want to check for the
> unauthorized presence of any of the following executable files,
> which are often used as hacking tools:
> Recipients of this Advisory are encouraged to report computer
> crime to the NIPC Watch at (202) 323-3204/3205/3206. Incidents
> may also be reported online at www.nipc.gov/incident/cirr.htm.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
s h a w n m o y e r
shawn at ...1184...
The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.
More information about the Snort-users