From: Vitaly Osipov [vosipov@WOLFEGROUP.IE]
Sent: Friday, March 09, 2001 3:53 AM
To: FORENSICS@SECURITYFOCUS.COM
Subject: Re: Somewhat Interesting NIPC Alert

heh, now I understand why the amount of ads on Russian hacker sites offering
card numbers (with all the info, often including  cvv2) has increased so
much in a last couple of month... I am not sure about the price they offer -
some dollars a card anyway. And their preferred method of payment is via
WebMoney - I guess mostly because of a total anonymity in this case.

regards,
W.


----- Original Message -----
From: "Alfred Huger" <ah@SECURITYFOCUS.COM>
To: <FORENSICS@SECURITYFOCUS.COM>
Sent: Thursday, March 08, 2001 8:53 PM
Subject: [FORENSICS] Somewhat Interesting NIPC Alert


> NIPC ADVISORY 01-003
>
> This advisory is an update to the NIPC Advisory 00-060, "E- Commerce
> Vulnerabilities", dated December 1, 2000.   Since the advisory was
> published, the FBI has continued to observe hacker activity targeting
> victims associated with e-commerce or e- finance/banking businesses.
> In  many cases, the hacker activity had been ongoing for several months
> before the victim became aware of the intrusion.   The NIPC emphasizes
> the recommendation that all computer network systems administrators
> check relevant systems and consider applying the updated patches as
> necessary, especially for systems related to e-commerce or e-
> banking/financial businesses.  The patches are available on Microsoft=s
> web site, and users should refer to the URLs listed below.
>
> The following vulnerabilities have been previously reported:
>
> Unauthorized Access to IIS Servers through Open Database
> Connectivity (ODBC) Data Access with Remote Data Service (RDS):
> Systems Affected:  Windows NT running IIS with RDS enabled.
> Details: Microsoft Security Bulletin MS99-025, NIPC CyberNotes
> 99-22
>
> http://www.microsoft.com/technet/security/bulletin/ms99-025.asp
> http://www.nipc.gov/warnings/advisories/1999/99-027.htm,
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  Allows unauthorized users to execute shell commands on the
> IIS system as a privileged use; Allows unauthorized access to secured,
> non-published files on the IIS system; On a multi-homed
> Internet-connected IIS systems, using Microsoft Data Access Components
> (MDAC), allows unauthorized users to tunnel Structured Query Language
> (SQL) and other ODBC data requests through the public connection to a
> private back-end network.
>
> SQL Query Abuse Vulnerability
> Affected Software Versions:  Microsoft SQL Server Version 7.0 and
> Microsoft Data Engine (MSDE) 1.0
> Details:  Microsoft Security Bulletin MS00-14, NIPC CyberNotes
> 20-05
>
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  The vulnerability could allow the remote author of a malicious
> SQL query to take unauthorized actions on a SQL Server or MSDE database.
>
> Registry Permissions Vulnerability
> Systems Affected:  Windows NT 4.0 Workstation, Windows NT 4.0
> Server
> Details:  Microsoft Security Bulletin MS00-008, NIPC CyberNotes
> 20-08 and 20-22
>
>
> http://www.microsoft.com/technet/security/bulletin/ms00-008.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
> Summary: Users can modify certain registry keys such that:
> a malicious user could specify code to launch at
> system crash
> a malicious user could specify code to launch at
> next login
> an unprivileged user could disable security measures
>
> Web Server File Request Parsing
>
> While they have not been shown to be a vector for the current attacks,
> Microsoft has advised us that the vulnerabilities addressed by Microsoft
> bulletin MS00-086 are very serious, and we encourage web site operators
> to consider applying the patch provided with this bulletin as well as
> the three that are under active exploitation.
>
> http://www.microsoft.com/technet/security/bulletin/ms00-014.asp
> http://www.nipc.gov/cybernotes/cybernotes.htm
>
> Summary:  The vulnerability could allow a malicious user to run
> system commands on a web server.
>
> New Information:  In addition to the above exploits, several filenames
> have been identified in connection with the intrusions, specific to
> Microsoft Windows NT systems.  The presence of any of these files on
> your system should be reviewed carefully because they may indicate that
> your system has been compromised:
> ntalert.exe
> sysloged.exe
> tapi.exe
> 20.exe
> 21.exe
> 25.exe
> 80.exe
> 139.exe
> 1433.exe
> 1520.exe
> 26405.exe
> i.exe
>
> In addition, system administrators may want to check for the
> unauthorized presence of any of the following executable files, which
> are often used as hacking tools:
> lomscan.exe
> mslom.exe
> lsaprivs.exe
> pwdump.exe
> serv.exe
> smmsniff.exe
>
> Recipients of this Advisory are encouraged to report computer crime to
> the NIPC Watch at (202) 323-3204/3205/3206.  Incidents may also be
> reported online at  www.nipc.gov/incident/cirr.htm.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (BSD/OS)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE6p+mz+LUG5KFpTkYRApVrAKCd6rT++htahvzbxsIkbqMVa74fuACcDKaQ
> wsjk3kVpcNQP2fPrMR9IQSw=
> =WIaD
> -----END PGP SIGNATURE-----