US Customs 'Puters

[BMT (RIP)]

http://apnews.myway.com/article/20050819/D8C2RE000.html

WTF disabled NORTON AV???

BMT

[fusion94]

Well it would appear (just based on what the article states) that the US Customs is using Microsoft SQL Server and got hit with one of the many worms that it's vulnerable to. In today's day and age I really don't understand why so many Government systems are as insecure as they are.

From my firewall logs as of a few minutes ago:

Quote:

Date: 08/19 01:42:11 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 219.129.139.187:4373 -> 24.0.76.5:1434

Date: 08/19 03:40:15 Name: MS-SQL Worm propagation attempt
Priority: 2 Type: Misc Attack
IP info: 219.145.169.136:3047 -> 24.0.76.5:1434

[Dan]

They most likely got hit with a ZOTOB worm variant and the travelers had to pay the stupid tax for them because they didt keep their OS up to date.

[fusion94]

Well Zotob spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability and AFAIK only affects Windows 2000 servers. I can more or less understand why they use Windows 2000 and MS SQL even though I wouldn't. What I don't understand is why any Windows 2000 server would have the PnP service turned on. That's just shoddy administration IMO.

[Dan]

Quote:

Originally Posted by fusion94

That's just shoddy administration IMO.

Exactly...they don't know enough to not keep it turned off or keep their OS's up to date in general. They aren't alone...look at the 250,000+ reported systems that were effected by this worm. CNN and ABC news servers were taken down early on just to name some other big name folks that got nailed.

[fusion94]

Roger that Dan.

I was wrong, it CAN affect XP and Windows Server 2003 as well if this variable has been set in the registry:

HKLM\System\CurrentControlSet\Control\LSA\Restrict AnonymousSam = 0

or

HKLM\System\CurrentControlSet\Control\LSA\Restrict Anonymous = 0

DWORD value needs to be set to 1 to restrict anonymous access.