[Snort-users] IDS signatures for alert released by SANS/CIS today? (03/08/01)

Orlando Padilla opadilla at ...1522...
Fri Mar 9 10:27:30 EST 2001


In response to Beckster's "heads-up" here's a follow up.

Orlando

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a followup to the email with the subject "Large Criminal Hacker
Attack on Windows NT E-Banking and E-Commerce Sites" sent from the SANS
Institute earlier today. The message was sent out with a bad signature.
The information in the email is also posted at http://www.sans.org and
http://www.fbi.gov. You may visit those sites for verification.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE6qBVA+LUG5KFpTkYRAojhAJwPIk+zm5cXkhh673dRg83g1miZWwCgkFg4
Z20LRA2cwfN8ZqPvLH7nUx8=
=b8t8
-----END PGP SIGNATURE-----


                                                                                                                                           
                    "shawn . moyer"                                                                                                        
                    <shawn at ...1184...>              To:     Beckster <beckster at ...1127...>                                               
                    Sent by:                             cc:     Snort-users at lists.sourceforge.net                                         
                    snort-users-admin at ...635...        Subject:     Re: [Snort-users] IDS signatures for alert released by SANS/CIS      
                    eforge.net                           today? (03/08/01)                                                                 
                                                                                                                                           
                                                                                                                                           
                    03/08/2001 04:50 PM                                                                                                    
                                                                                                                                           
                                                                                                                                           




Yeah, we got that. :)


[root at ...1202... /root]# cat /etc/snort.rules | grep -i msadc

alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 529
IIS-msadc/msadcs.dll";flags:PA;content:"msadc/msadcs.dll"; nocase;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 80
(msg:"IIS-adctest.asp";flags:PA; content:"msadc/samples/adctest.asp";
nocase;)




Beckster wrote:
>
> Howdy all,
>
> I participated in the CIS conference call that took place this
> afternoon and one of the questions was what IDS's offer signatures for
> these exploits?  No one was able to answer the question and Alan Paller
> said he would be in touch with Marty to inquire about Snort's
> capabilities.  Sadly I could not provide any info...*head hanging*
>
> Anyway, I wanted to give you all a heads up - see the announcement
> below.
>
> Regards,
> Becky
>
> Large Criminal Hacker Attack on Windows NT E-Banking and E-
> Commerce Sites
>
> 2:10 PM EST March 08, 2001
>
> In the largest criminal Internet attack to date, a group of
> Eastern European hackers has spent a year systematically
> exploiting known Windows NT vulnerabilities to steal customer
> data. More than a million credit cards have been taken and more
> than 40 sites have been victimized.
>
> The FBI and Secret Service are taking the unprecedented step of
> releasing detailed forensic information from ongoing
> investigations because of the importance of the attacks.
>
> This note is being sent to SANS Institute alumni before the
> information becomes public so you can check and patch your
> systems before copycat criminals appear.
>
> The Center for Internet Security will be releasing a tool that
> automatically checks your systems for the vulnerabilities and
> also looks for files the FBI has found present on many
> compromised systems.
>
> The Center's tools are normally available only to members, but
> because of the importance of the problem, the Center agreed to
> make it available to all who need it.  Center members have
> already received an invitation to the conference call this
> afternoon to get more data on the attack. If your organization is
> not a member, we encourage you to join in this important
> initiative to fight back against computer crime. See
> www.cisecurity.org for a list of members and how to join.
>
> Here's the data available so far.
>
> Over the past several months, the National Infrastructure
> Protection Center (NIPC) has been coordinating investigations
> into a series of organized hacker activities specifically
> targeting U.S. computer systems associated with e-commerce or e-
> banking.  Despite previous advisories, many computer owners have
> not patched their systems, allowing these kinds of attacks to
> continue, and prompting this updated release of information.
>
> More than 40 victims located in 20 states have been identified
> and notified in ongoing investigations in 14 Federal Bureau of
> Investigation Field Offices and 7 United States Secret Service
> Field Offices.  These investigations have been closely
> coordinated with foreign law enforcement authorities, and the
> private sector.  Specially trained prosecutors in the Computer
> and Telecommunication Coordinator program in U.S. Attorneys'
> Offices in a variety of districts have participated in the
> investigation, with the assistance of attorneys in the Computer
> Crime and Intellectual Property Section at the Department of
> Justice.
>
> The investigations have disclosed several organized hacker groups
> from Eastern Europe, specifically Russia and the Ukraine, that
> have penetrated U.S. e-commerce computer systems by exploiting
> vulnerabilities in unpatched Microsoft Windows NT operating
> systems.  These vulnerabilities were originally reported and
> addressed in Microsoft Security Bulletins MS98-004 (re-released
> in MS99-025), MS00-014, and MS00-008.  As early as 1998,
> Microsoft discovered these vulnerabilities and developed and
> publicized patches to fix them.  Computer users can download
> these patches from Microsoft for free.
>
> Once the hackers gain access, they download proprietary
> information, customer databases, and credit card information. The
> hackers subsequently contact the victim company through
> facsimile, email, or telephone.  After notifying the company of
> the intrusion and theft of information, the hackers make a veiled
> extortion threat by offering Internet security services to patch
> the system against other hackers.  They tell the victim that
> without their services, they cannot guarantee that other hackers
> will not access the network and post the credit card information
> and details about the compromise on the Internet.  If the victim
> company is not cooperative in making payments or hiring the group
> for their security services, the hackers' correspondence with the
> victim company has become more threatening.  Investigators also
> believe that in some instances the credit card information is
> being sold to organized crime groups.   There has been evidence
> that the stolen information is at risk whether or not the victim
> cooperates with the demands of the intruders.  To date, more than
> one million credit card numbers have been stolen.
>
> The NIPC has issued an updated Advisory 01-003 at www.nipc.gov
> regarding these vulnerabilities being exploited.  The update
> includes specific file names that may indicate whether a system
> has been compromised.  If these files are located on your
> computer system, the NIPC Watch in Washington D.C. should be
> contacted at (202) 323-3204/3205/3206.  Incidents may also be
> reported online at www.nipc.gov/incident/cirr.htm. For detailed
> information on the vulnerabilities that are being exploited,
> please refer to the NIPC Advisory 00-60, and NIPC Advisory 01-
> 003.
>
> NIPC ADVISORY 01-003
>
> This advisory is an update to the NIPC Advisory 00-060, "E-
> Commerce Vulnerabilities", dated December 1, 2000.   Since the
> advisory was published, the FBI has continued to observe hacker
> activity targeting victims associated with e-commerce or e-
> finance/banking businesses.  In  many cases, the hacker activity
> had been ongoing for several months before the victim became
> aware of the intrusion.   The NIPC emphasizes the recommendation
> that all computer network systems administrators check relevant
> systems and consider applying the updated patches as necessary,
> especially for systems related to e-commerce or e-
> banking/financial businesses.  The patches are available on
> Microsoft=s web site, and users should refer to the URLs listed
> below.
>
> The following vulnerabilities have been previously reported:
>
> Unauthorized Access to IIS Servers through Open Database
> Connectivity (ODBC) Data Access with Remote Data Service (RDS):
> Systems Affected:  Windows NT running IIS with RDS enabled.
> Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
> 99-22
>
> http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
> http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  Allows unauthorized users to execute shell commands on
> the IIS system as a privileged use; Allows unauthorized access to
> secured, non-published files on the IIS system; On a multi-homed
> Internet-connected IIS systems, using Microsoft Data Access
> Components (MDAC), allows unauthorized users to tunnel Structured
> Query Language (SQL) and other ODBC data requests through the
> public connection to a private back-end network.
>
> SQL Query Abuse Vulnerability
> Affected Software Versions:  Microsoft SQL Server Version 7.0 and
> Microsoft Data Engine (MSDE) 1.0
> Details:  Microsoft Security Bulletin MS00-14, NIPC CyberNotes
> 20-05
>
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  The vulnerability could allow the remote author of a
> malicious SQL query to take unauthorized actions on a SQL Server
> or MSDE database.
>
> Registry Permissions Vulnerability
> Systems Affected:  Windows NT 4.0 Workstation, Windows NT 4.0
> Server
> Details:  Microsoft Security Bulletin MS00-008, NIPC CyberNotes
> 20-08 and 20-22
>
> http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary: Users can modify certain registry keys such that:
> "       a malicious user could specify code to launch at
> system crash
> "       a malicious user could specify code to launch at
> next login
> "       an unprivileged user could disable security
> measures
>
> Web Server File Request Parsing
>
> While they have not been shown to be a vector for the current
> attacks, Microsoft has advised us that the vulnerabilities
> addressed by Microsoft bulletin MS00-086 are very serious, and we
> encourage web site operators to consider applying the patch
> provided with this bulletin as well as the three that are under
> active exploitation.
>
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  The vulnerability could allow a malicious user to run
> system commands on a web server.
>
> New Information:  In addition to the above exploits, several
> filenames have been identified in connection with the intrusions,
> specific to Microsoft Windows NT systems.  The presence of any of
> these files on your system should be reviewed carefully because
> they may indicate that your system has been compromised:
> ntalert.exe
> sysloged.exe
> tapi.exe
> 20.exe
> 21.exe
> 25.exe
> 80.exe
> 139.exe
> 1433.exe
> 1520.exe
> 26405.exe
> i.exe
>
> In addition, system administrators may want to check for the
> unauthorized presence of any of the following executable files,
> which are often used as hacking tools:
> lomscan.exe
> mslom.exe
> lsaprivs.exe
> pwdump.exe
> serv.exe
> smmsniff.exe
>
> Recipients of this Advisory are encouraged to report computer
> crime to the NIPC Watch at (202) 323-3204/3205/3206.  Incidents
> may also be reported online at  www.nipc.gov/incident/cirr.htm.
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

--

s h a w n   m o y e r
shawn at ...1184...

The universe did not invent justice; man did.
Unfortunately, man must reside in the universe.

                                        -- Zelazny

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users







More information about the Snort-users mailing list