Message-ID: <24648932.1075841478126.JavaMail.evans@thyme> Date: Tue, 27 Nov 2001 07:19:32 -0800 (PST) From: cooper.richey@enron.com To: todd.bowen@enron.com Subject: RE: New Distributed Denial of Service Program in the Wild Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-From: Richey, Cooper X-To: Bowen, Todd X-cc: X-bcc: X-Folder: \ExMerge - Richey, Cooper\Sent Items X-Origin: RICHEY-C X-FileName: cooper richey 6-26-02.PST no problems here. everything is fine. -----Original Message----- From: Bowen, Todd Sent: Monday, November 26, 2001 10:04 AM To: Richey, Cooper Subject: FW: New Distributed Denial of Service Program in the Wild Cooper, Please check for this vulnerability amongst your folks and advise soonest... Regards, Todd -----Original Message----- From: Dietrich, Dan Sent: Monday, November 26, 2001 8:27 AM To: Wiebe, Chris; Bowen, Todd Subject: RE: New Distributed Denial of Service Program in the Wild Thanks Chris! Todd, please work with Cooper and advise me before end of business of your finds. Thanks! -----Original Message----- From: Wiebe, Chris Sent: Monday, November 26, 2001 9:25 AM To: Dietrich, Dan Cc: Bowen, Todd Subject: RE: New Distributed Denial of Service Program in the Wild Well, if Cooper or his group over there have any personal/desktop instances, I don't look after them. Chris Wiebe Staff, Data Technologies Enron Canada Corp. Phone: (403) 974-6929 Cell: (403) 650-7224 Pager: (403) 212-9989 Pager email: chriswiebe@epagenet.net Email: Chris.Wiebe@Enron.com -----Original Message----- From: Dietrich, Dan Sent: Monday, November 26, 2001 8:23 AM To: Wiebe, Chris Cc: Bowen, Todd Subject: RE: New Distributed Denial of Service Program in the Wild Are there SQL Servers you do not look after? -----Original Message----- From: Wiebe, Chris Sent: Monday, November 26, 2001 9:21 AM To: Dietrich, Dan; Kane, Paul; Marryott, Michael Cc: Bowen, Todd; Steiner, David; Ward, Bob; Ogg, Jim; Smith, Bruce Subject: RE: New Distributed Denial of Service Program in the Wild The SQL Servers that I look after all have a password for the SA account. Chris Wiebe Staff, Data Technologies Enron Canada Corp. Phone: (403) 974-6929 Cell: (403) 650-7224 Pager: (403) 212-9989 Pager email: chriswiebe@epagenet.net Email: Chris.Wiebe@Enron.com -----Original Message----- From: Dietrich, Dan Sent: Sunday, November 25, 2001 8:12 PM To: Kane, Paul; Wiebe, Chris; Marryott, Michael Cc: Bowen, Todd; Steiner, David; Ward, Bob; Ogg, Jim; Smith, Bruce Subject: FW: New Distributed Denial of Service Program in the Wild Importance: High Please advise ASAP as to the status of the SQL at your respective locations. Thanks! -----Original Message----- From: Smith, Bruce Sent: Sun 11/25/2001 4:42 PM To: Setliff, John; Dietrich, Dan; Chumley, Jason Cc: Subject: FW: New Distributed Denial of Service Program in the Wild -----Original Message----- From: McAuliffe, Bob Sent: Sunday, November 25, 2001 3:12 PM To: Gubser, Marlin; Ray, Edward; Behney, Chris; Matson, Randy; Croucher Jr., Mike; Smith, Bruce; Deleon, Roberto; Ogg, Jim Subject: Fw: New Distributed Denial of Service Program in the Wild Importance: High bob.mcauliffe@enron.com -------------------------- Sent from my BlackBerry Wireless Handheld -----Original Message----- From: Thibodeaux, Mark To: McAuliffe, Bob ; Bramwell, James ; Reyes, Charles CC: Enron Network Security ; EEL IT Security ; Matson, Randy ; Ray, Edward ; Dziadek, Keith ; Abshire, Scott ; Martinez, Bob ; Hillier, Bob ; Hotte, Steve ; Dayao, Anthony ; Rub, Jenny ; Webb, Jay ; Freeman, Paul ; Pickering, Mark ; Parsons, Andrew Sent: Sun Nov 25 11:57:22 2001 Subject: New Distributed Denial of Service Program in the Wild A new denial of service worm program, - like "sadmind", "nimda", etc. - has been discovered by the staff of SecurityFocus. This new program attacks Microsoft SQL servers that do not have a password set on their administrator accounts (named "sa"). Strange as it may seem, I know from experience that we have had a number of SQL servers at Enron that would be vulnerable to this (i.e., they don't have passwords on their "sa" accounts). I am running a scan now on port 1433 only (where SQL server runs) to try to identify all vulnerable servers we may have. I will be providing this list to Eddie Ray and the EEL IT Security team for coordination of the remediation work. Details on the worm can be found at on the front page. Mark Thibodeaux Enron Corp. - IT Compliance 713-853-9373 713-826-4738 (cell)