Last month, I moved to a new apartment and decided to hook-up a high-speed Cable Internet from Comcast (as openly documented on this very same blog) as my primary connection to the world wide weird. This was July 15 and I was working at home that day.
With no router or a switch at hand yet, my Sony Vaio VGN-BZ560 laptop is connected directly to Comcast's modem, getting a dynamic Public IP address from time to time. Something exciting happened right in front of my eyes as my Symantec Endpoint Protection software started displaying notification windows, stating a couple of Intrusion Prevention logs. I immediately accessed the Client Management Logs - Security Log feature of Symantec's Endpoint Protection and here's what I found:
[SID: 20081] MS SQL Stack BO detected.
Traffic has been blocked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
Traffic from IP address 58.51.89.122 is blocked from 7/15/2009 1:33:12 PM to 7/15/2009 1:43:12 PM.
Active Response that started at 07/15/2009 13:33:12 is disengaged. The traffic from IP address 58.51.89.122 was blocked for 600 second(s).
I immediately launched my Wireshark to capture the network interface, then went inside Symantec Endpoint Protection's Client Management - Security Logs and turns out the attack has started since 5AM this morning PST!
Here are the logs of the first attempt:
[SID: 20081] MS SQL Stack BO detected.
Traffic has been blocked from this application: C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
Traffic from IP address 218.23.37.51 is blocked from 7/15/2009 5:48:38 AM to 7/15/2009 5:58:38 AM.
The logical thing for me to do is to trace where these IP addresses are coming from. So I made a few back traces using my VisualRoute Tool and surprise! Surprise! Yes, the IP addresses are all from China.
The source IP's are all from China, if the back trace is reporting it correctly and these attackers are not using some mechanism to hide their real location, or probably just a bunch of compromised boxes or BotNets serving their master somewhere here in the States. But my guts keep on telling me that these are really coming from China.
My Sony Vaio Laptop is running Windows XP SP3. Installed is Microsoft Office 2007, with Microsoft SQL Server 2005 pre-installed which is the backdoor of this attack based on the Symantec Endpoint Protection Security Logs.
I am sure that my MS SQL Server 2005 service is not running on the background as a Service on my laptop turns-out that our new customer network connectivity troubleshooting tool called PathView by Apparent Networks is using a Local SQL Server Service on my laptop as well. By virtue of logic, I believe this application gave another backdoor for this MS SQL based vulnerability.
Below are actual screen shots while the attack is occurring:
(Click on the images to enlarge them)
Symantec Endpoint Protection Client Management Logs - Security Logs
PathView SQL Server running as a Local Service
Wireshark capture while the attack is happening
Let me know if you guys need a copy of the actual Wireshark capture (.pcap file) for analysis, I have no problem sending it out.
So what have I learned from this? Always double-check your new machine what applications are pre-installed on it, as well as ensure that unnecessary Services are not running on the background. This happened to me because I got lazy when the new Sony Vaio was handed over to me from work and I did not bother hacking into it like what I usually do with my personal machines.
Peace out and spread the word.