Believe it or not, I was online for 4 hours downloading info to load on my brand new Samba server. While I was doing so, I was being hacked OVER A DIAL UP CONNECTION! At the time, I was sharing my dial connection via XP Pro (only because my modem isn't linux compatible). Proof that Windows should never directly touch the Internet. Yes I was running this apparently useless XP firewall and I keep my updates current. Once the attacker took over the XP machine, they started in on my new Samba server. The XP machine is 192.168.0.1 and the Samba server is 192.168.0.100. Here is the snort log:


[1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.0.100 -> 192.168.0.1
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3156 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1295:7] NETBIOS nimda RICHED20.DLL [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:678:5] MS-SQL/SMB sp_delete_alert log file deletion [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:535:4] NETBIOS SMB CD... [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:695:5] MS-SQL/SMB xp_sprintf possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:703:5] MS-SQL/SMB xp_setsqlsecurity possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:702:5] MS-SQL/SMB xp_displayparamstmt possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:698:5] MS-SQL/SMB xp_proxiedmetadata possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:469:1] ICMP PING NMAP [Classification: Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.0.100 -> 192.168.0.1
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1295:7] NETBIOS nimda RICHED20.DLL [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:677:5] MS-SQL/SMB sp_password password change [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:678:5] MS-SQL/SMB sp_delete_alert log file deletion [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:681:4] MS-SQL/SMB xp_cmdshell program execution [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:689:4] MS-SQL/SMB xp_reg* registry access [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1386:4] MS-SQL/SMB raiserror possible buffer overflow [Classification: Attempted User Privilege Gain] [Priority: 1]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3171 -> 192.168.0.100:139
[1:1882:4] ATTACK-RESPONSES id check returned userid [Classification: Potentially Bad Traffic] [Priority: 2]: {TCP} 192.168.0.1:3735 -> 192.168.0.100:10000

I've since updated to DSL and a true firewall. Enjoy and comments are welcome. In the meantime I have an XP machine rebuild. It will be fun calling Microsoft and telling them I need a new registration number because I had to reload their OS after being hacked!

A Linux user believing Microsoft's claim about XP Firewall? :-O But seriously, don't use it. Get ZoneAlarm and turn the built in cr*p off.

Looks like they may have exploited the MS-SQL vuln that SQL Slammer took advantage of... Were you even keeping your XP box up to date with security fixes? If not, that's hardly Microsoft's fault. The patches have been out for a looooooong time.

The question already seems answered at the top of this thread...

Yes, even with my dial up connection, I was keeping up to date with the updates, but apparently, keeping my dial up online long enough to download the new update is in itself a security issue. The very definition of "catch 22".

I missed the part about the updates, still it's very strange. It looks pretty obvious that it was a SQL exploit. Did you have a SQL server on the XP box? Perhaps some of the table permissions were not set correctly or something, and the attacker was able to use a SQL command injection or some similar method.

Any way, looks like a good reason to have Snort running and up to date. Even if you think everything is secure, you still may be successfully attacked.

I use a LAMP server system on my XP machine to test my Dreamweaver pages, but that would not have been the problem, otherwise, nope, no IIS or MS-SQL or anything. I am a network administrator by profession, so I keep a pretty tight ship, at least what I am aware of. I made one stupid mistake and it bit me. The part the gets me is that if the attacker didn't go after my linux server with the snort detection, I would have never known. There is absolutely NO indication that my computer was hacked. I even keep a virus scanner that would have noticed a script such as this, yet it missed it too.

There was nothing that the attacker could have gotten off of any of my computers that was worth a damn, so I'm not too worried. I will reload both of these computers however, just to be safe.

If you look at the timestamps of the snort entries, are they spaced relatively close together indicating an automated tool/worm or are they farther apart and relatively un-uniform indicating someone manually trying exploits? Interesting to trace through each sequence of attacks.

Quote:

Originally posted by dekket The question already seems answered at the top of this thread...

I think this has an angle that is faster then analyzing all the logs. the doz native firewall lacks outgoing packet scans totally I agree that quiting the XP firewall and downloading Zonelabs may actually help! this is the firewall that surprised me with absolute success in my last doz days It's worth a look! http://www.zonelabs.com I was impressed!

Quote:

Originally posted by Capt_Caveman If you look at the timestamps of the snort entries, are they spaced relatively close together indicating an automated tool/worm or are they farther apart and relatively un-uniform indicating someone manually trying exploits? Interesting to trace through each sequence of attacks.

Like I have suggested before timing is crucial nice Capt_Caveman I hope my previous helps

Obviously there was a lot edited out of the log so I could get a resonable size post, but everything you see was over a 2 and a half hour timeframe. There are furies of activity that are within 40 seconds of each other, then it stopped for a few minutes to an hour and then more short furies. Looks like scripts to me being run manually.

Shut down the SQL server and get online to grab the windows updates. I agree with the poster who says this is all your fault for not keeping up to date. Same thing happens to Linux users who run too many services and don't watch the security updates for them.

Man are you even bothering to read the posts?? I always keep XP up to date and I have NO MS-SQL server running. Geez, if you are going to post some half-assed comment atleast make sure it hasn't already been answered, AND TWICE MIGHT I ADD!

BTW, the System Monitor application in Windows actually has an embedded SQL server to store the stats in. Even if you're not explicitly running MS SQL, it will be there (let me see if I can find the exact name of the app). A lot of companies were very surprised when their Windows boxen got hosed by the SQL Slammer worm, even though they didn't think they were running SQL databases on those boxen.

Edit: Well I couldn't find the specific information I was looking for, but it does look like "System Monitor" (actual name) uses an embedded SQL Server, so that would be vulnerable. Also interesting is that MS Visual Studios and MS Office Development Edition also contain SQL servers.

More info can be found here: http://www.microsoft.com/technet/tre...letin MS02-039

That must have been the open door! I was curious what exactly could have been the culprit.

Lesson learned, although, there is apparently, not much you can do about that. What are the odds on convincing MS to run System Monitor on MySQL?