Results 1 to 4 of 4

Thread: IIS/5.0 Attacked my Host - Sent email to admin

  1. #1

    IIS/5.0 Attacked my Host - Sent email to admin

    hey guys, just wondering if this was ok to send to an admin in Thailand whos IIS/5.0
    system tried to attack my Apache 1.3.26 box (the banner was hacked to say Microsoft IIS/5.0) heheeh
    naughty admin i am.

    Hello,

    You do not know me but today my system recieved the following alert
    that appears to come from your box.

    -- snip snip

    Jul 30 04:44:19 securelinux snort[180]: [1:1002:2] WEB-IIS cmd.exe
    access [Classification: Web Application Attack] [Priority: 1]: {TCP}
    168.120.21.34:1241 -> 205.251.201.172:80

    Jul 30 04:56:19 securelinux kernel: Packet log: input ACCEPT eth0
    PROTO=1 168.120.21.34:11 205.251.201.172:1 L=56 S=0x00 I=47511 F=0x0000
    T=105 (#26)

    -- snip snip


    here is the packet payload from this incident

    --snip snip

    [**] WEB-IIS cmd.exe access [**]
    07/30-04:44:19.144142 168.120.21.34:1241 -> 205.251.201.172:80
    TCP TTL:105 TOS:0x0 ID:27758 IpLen:20 DgmLen:99 DF
    ***AP*** Seq: 0xAB574003 Ack: 0x93A76449 Win: 0x4470 TcpLen: 20
    47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
    35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
    73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
    63 2B 64 69 72 0D 0A c+dir..

    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

    Upon further investigation, I perfomed the following command to find out
    what version of the webserver was running.

    "telnet 168.120.21.34 80"
    and recieved this disturbing reply

    C:\WINNT\system32>
    C:\WINNT\system32>Cache-Control: bypass-client=205.251.201.172
    'Cache-Control:' is not recognized as an internal or external command,
    operable program or batch file.

    C:\WINNT\system32>
    C:\WINNT\system32>Connection: keep-alive
    'Connection:' is not recognized as an internal or external command,
    operable program or batch file.

    C:\WINNT\system32>
    C:\WINNT\system32>Via: 1.1 CE-STJH-01-01
    'Via:' is not recognized as an internal or external command,
    operable program or batch file.

    C:\WINNT\system32>
    C:\WINNT\system32>X-Forwarded-For: 205.251.201.172
    'X-Forwarded-For:' is not recognized as an internal or external command,

    operable program or batch file.

    C:\WINNT\system32>
    C:\WINNT\system32>
    C:\WINNT\system32>
    C:\WINNT\system32>

    It looks like their is a remote backdoor bound to port 80, so when
    someone telnets to port 80 on your box, they are dropped into a remote
    shell, in this case, the c:\WINNT\System32> prompt giving the
    attacker(s) full access to your machine. NOT GOOD!.

    As you can see, your machine has been compromised
    *NOT BY MYSELF OR ANYONE AFFILIATED WITH ME WHATSOEVER*
    most likely by the Microsoft IIS 5.0 "Web Server file request parsing
    vulnerability" or
    more commonly "Unicode Attack".

    Perhaps an intruder manually compromised your machine or it was
    compromised by
    a code red or code red version 2 worm. Its not clear at this point.

    Let me state this one more time, I did not compromise your host, im just
    a linux network administrator thats trying to do a good deed here,.

    Please contact me ASAP when you recieve this email.

    P.S - If you get this emai, dont panic, and DO NOT shutdown your
    machine, perform these commands
    and save the output to a floppy disk. Your going to want to hunt down
    who did this and these following commands will help forensic
    investigators

    also grab a pen and a notepad, write down the date, time, and every
    command your typed, also sign it, date it, and place it with your floppy
    disk, then take this evidence to the police.

    c:\WINNT\System32> date
    c:\WINNT\System32> time
    c:\WINNT\System32>netstat -an
    c:\WINNT\System32>nbtstat -c
    c:\WINNT\System32>dir /t:a /a /s /s:d c:
    c:\WINNT\System32>dir /t:w /a /s /o:d c:
    c:\WINNT\System32>dir /t:c /a /s /o:d c:
    c:\WINNT\System32>fport (www.foundstone.com) download it and run it
    c:\WINNT\System32>pslist (www.sysinternals.com) download it and run it
    c:\WINNT\System32>Auditpol
    c:\WINNT\System32>Loggedon
    c:\WINNT\System32>dumpel -t -l system
    c:\WINNT\System32>dumpel -t -l application
    c:\WINNT\System32>dumpel -t -l security
    c:\WINNT\System32>pwdump2
    c:\WINNT\System32>regdump

    thats about all, remember to download fport and pslist to get a listing
    of all the applications running etc.
    remember to save the output of each command to a floppy disk.

    remember to write down EXACTLY what you did, what you typed, the date,
    the time etc..

    Im sorry I had to be the bearer of bad news

    contact me soon if you require further assistance

    Your Truly

    Kurt Pomeroy






    -----BEGIN PGP PUBLIC KEY BLOCK-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    mQGiBD0+r2ARBACDWVzsIlLjOrAQocpiI1vs/aYuOHBEbWRNCBpL6lku8bhjFgrh
    P79Qw0jAhyjOy7w+SyeHyAT/AcSd5vW0X4Q92TcVUrLjTK7GHsabWoB2aRfLTyMW
    nSlfVQTL7XKKlCBKMAWbI5+C/jxZAXX2/f1iiI29WyQkBj9McJAFplLmLwCgqyQL
    Dtr0cA27w5xPpz6HTB76e2kD/2Ph1Z7olEApgIRtz2t+nefF4mwGnn1CgsuxQq4+
    GMewniLJ3lRc4vaPm4imuJJhwCeEmziUmItco5Vr6Yx+0faiJwtIceM56RfoMv6A
    4+Q19e+bD+/hsjsAEuoUSbZbc4MXsEIYCEBbDiD2URZWP6nSRLAGyHTzlHGbaXU7
    0q1TA/9mEPPS8P77q3a6kIg4PT7MYc3N+V4ndRyFcUAuz3/oD8CzBmYe6emtauyY
    8DA1okG3W5VwVfJ2rUS9jCUS3Z6yCeso3MVBebw9LUnz6/+zt1QnYc/siFAwKKJ5
    QGIvtFKdcgaC/7zqxds9m1XVROWuyIp1JwIF3rg3lLrDAAgBn7RGS3VydCBKb3Nl
    cGggUG9tZXJveSAoU2xhY2t3YXJlIExpbnV4IFIweCkgPGtwb21lcm95QHJvYWRy
    dW5uZXIubmYubmV0PohdBBMRAgAdBQI9Pq9gBQkA7U4ABQsHCgMEAxUDAgMWAgEC
    F4AACgkQiBk34NC0flzNgACgg8LriHbf6KJgTJLdXNH9cf79L6MAmgL6Du4GlGvo
    4yFYFuBaOVkrhSe2uQINBD0+r5YQCADQqQgh1fDJQfoR60HgjFPiseN4UMchygsR
    P+YGFn3kjEPlNfoeVpg3nlDOrh8LlMjGrdE7NORcbnbsPRwACsdGLcoI4QpmAokL
    OVuaoqa1t91IZeTj/+ll26g1CZ3+vFbpCdLhWKcSatcFrUrKFcTKRF9i9bIiukpW
    osjxkPvK7TehFuV07A7E3Gom1NEgT9j5LC5hlRhTnGaVu/3SJ+Lfwqhkt+OFuULW
    GWoND3lWUJaBshjK/GA1yCp4QSO1FeJScGRwCI1dq5gdVH5tRo07K7Qw1GtDYnyV
    PG7Bzg1PzEhtNHPQhUiKE4yzyy9pD2nberkBPudnxsQGoXFYm3AjAAMFB/0VNMRC
    2mq7zx8RF49tbTXhxdYTw0Wc0jO48WXPJ1jrxzZOupcBTpLoW+dQFHe67kN5R7rw
    kVad6QKfb3R4NXzWRK8ayyAxOMn0ePehiv6VACMeq++k/VTenFB441dTsOe4M+72
    WH6wri/NPYwysP4fKPwu25B4xHCx+QSbO2PhtSZvYPCL6/dhSHMIZSFimq3tB8Dy
    wrECvEnFYzYF9soB9c987VQqDv1iDZ3xftGoZgeFzZ0TemYrkS/LS3gjgGHDSe7a
    xv4ytpECPj53is7gZ6rS3NZEDUQJjUZef7aXM4XxejUGA8YArvEQpYfrMdGjSY6q
    SLmCj6LQEn2RZPIDiEwEGBECAAwFAj0+r5YFCQDtTgAACgkQiBk34NC0flyWXQCf
    bCkx9y6thVV1IH7axj40HtUJQs0Ani1oGjhJ9G2Bl3iNsAyWJOv4zL4z
    =thP9
    -----END PGP PUBLIC KEY BLOCK-----

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    304
    yea that should about cover it. I doubt person will go to the authorities but i hope he/she at least fixes the problem. I went to the site in browser and got pretty much the same thing. Could not connect threw telnet though. I might have just messed up but i dont really have the time to keep trying. Anyways interesting read

    Later


    Oh yea screen shot is below if you want to see it




    *****UPDATE******
    The server is actually down now so I am assuming that they got your email and just turned the box off.
    Violence breeds violence
    we need a world court
    not a republican with his hands covered in oil and military hardware lecturing us on world security!

  3. #3
    Computer Forensics
    Join Date
    Jul 2001
    Posts
    672
    thats not an attack....thats a virus...... one of the code red(nimda) etc viruses.......
    Antionline in a nutshell
    \"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"

    Trust your Technolust

  4. #4
    it a virus like hogfly sad..... ith you it have tryed the "unicode bug" an old exploit......
    Read my littel How To:
    http://home1.stofanet.dk/truti/phpsi...ck_iis_4_5.txt

    Enjoy!

    Truti

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •