kaspersky anti-hacker

zak610 · 07-09-2006, 23:49

Di frequente mi capitano messaggi di questo tipo:

07/09/2006 23.42.11 Your computer has been attacked from 218.5.75.60. Attack - Helkern. The attack has been successfully repulsed.

Come devo interpretarlo? Rientra nel comune oppure mi devo preoccupare?

BilloKenobi · 08-09-2006, 00:10

rientra nella comune attività hacker.... sei stato preso di mira... ma gli attacchi di quel tipo vengono bloccati dal tuo firewall a quanto pare. credo ci sia poco da fare.... speriamo il tuo firewall non ti tradisca

W.S. · 08-09-2006, 08:22

bhe, a dire il vero quello + che un hacker penso sia un worm:

"Helkern (aka Helkern, aka Sapphire) is an extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000. To get into victim machines the worm exploits a buffer overrun vulnerability (see below).

When the worm code gets into a vulnerable SQL server it gains control (by using a buffer overrun trick), it then assumes three Win32 API functions:

GetTickCount (KERNEL32.DLL)
socket, sendto (WS2_32.DLL)

The worm then gets a random counter by using the GetTickCount function and goes into an endless spreading or "spawning" loop. In the spreading loop the worm sends itself to random IP addresses (depending on the random counter), to the MS SQL port 1434.

The worm sends multicast packets, meaning with only one "send" command hits all 255 machines in a subnet. As a result this worm is spreading 255 times faster than any other worm known at the moment.

Because MS SQL servers are often used on the Web this worm may cause a global INet DoS attack, because all infected servers will try to connect to other randomly selected machines in an endless loop - and this will cause a global INet traffic overflow.

The worm is memory only, and it spreads from an infected machine's memory to a victim machine's memory. The worm does not drop any additional files and does not manifest itself in any way.

There are text strings visible in the worm code (a mix of worm code and data):

h.dllhel32hkernQhounthickChGet
Qh32.dhws2_f
etQhsockf
toQhsend

Buffer Overflow

This buffer overrun exploit has the following name:
Unauthenticated Remote Compromise in MS SQL Server 2000

Affected systems are:
Microsoft SQL Server 2000, all Service Packs

This security breach was found in July, 2002 and was later fixed in "MS SQL Server 2000" patches.

You may read more about this at the following addresses:
Microsoft Security Bulletin MS02-039
NGSSoftware Insight Security Research Advisory

The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/R...eleaseID=40602 "

07-09-2006, 23:49	#1
zak610 Member Iscritto dal: May 2004 Città: 3VSO Messaggi: 96	kaspersky anti-hacker Di frequente mi capitano messaggi di questo tipo: 07/09/2006 23.42.11 Your computer has been attacked from 218.5.75.60. Attack - Helkern. The attack has been successfully repulsed. Come devo interpretarlo? Rientra nel comune oppure mi devo preoccupare?

08-09-2006, 00:10	#2
BilloKenobi Member Iscritto dal: Jul 2006 Messaggi: 117	rientra nella comune attività hacker.... sei stato preso di mira... ma gli attacchi di quel tipo vengono bloccati dal tuo firewall a quanto pare. credo ci sia poco da fare.... speriamo il tuo firewall non ti tradisca __________________ Begun the Clone War has Sì sì, mi hanno fatto redattore --- SuspectFile

08-09-2006, 08:22	#3
W.S. Senior Member Iscritto dal: Nov 2005 Messaggi: 1868	bhe, a dire il vero quello + che un hacker penso sia un worm: "Helkern (aka Helkern, aka Sapphire) is an extremely small (just 376 bytes) Internet worm that affects Microsoft SQL Server 2000. To get into victim machines the worm exploits a buffer overrun vulnerability (see below). When the worm code gets into a vulnerable SQL server it gains control (by using a buffer overrun trick), it then assumes three Win32 API functions: GetTickCount (KERNEL32.DLL) socket, sendto (WS2_32.DLL) The worm then gets a random counter by using the GetTickCount function and goes into an endless spreading or "spawning" loop. In the spreading loop the worm sends itself to random IP addresses (depending on the random counter), to the MS SQL port 1434. The worm sends multicast packets, meaning with only one "send" command hits all 255 machines in a subnet. As a result this worm is spreading 255 times faster than any other worm known at the moment. Because MS SQL servers are often used on the Web this worm may cause a global INet DoS attack, because all infected servers will try to connect to other randomly selected machines in an endless loop - and this will cause a global INet traffic overflow. The worm is memory only, and it spreads from an infected machine's memory to a victim machine's memory. The worm does not drop any additional files and does not manifest itself in any way. There are text strings visible in the worm code (a mix of worm code and data): h.dllhel32hkernQhounthickChGet Qh32.dhws2_f etQhsockf toQhsend Buffer Overflow This buffer overrun exploit has the following name: Unauthenticated Remote Compromise in MS SQL Server 2000 Affected systems are: Microsoft SQL Server 2000, all Service Packs This security breach was found in July, 2002 and was later fixed in "MS SQL Server 2000" patches. You may read more about this at the following addresses: Microsoft Security Bulletin MS02-039 NGSSoftware Insight Security Research Advisory The patch for MS SQL Server 2000 is available at: http://www.microsoft.com/Downloads/R...eleaseID=40602 " __________________ [ W.S. ]

Strumenti
Mostra una versione stampabile Invia questa pagina per email