hey guys, just wondering if this was ok to send to an admin in Thailand whos IIS/5.0
system tried to attack my Apache 1.3.26 box (the banner was hacked to say Microsoft IIS/5.0) heheeh
naughty admin i am.

Hello,

You do not know me but today my system recieved the following alert
that appears to come from your box.

-- snip snip

Jul 30 04:44:19 securelinux snort[180]: [1:1002:2] WEB-IIS cmd.exe
access [Classification: Web Application Attack] [Priority: 1]: {TCP}
168.120.21.34:1241 -> 205.251.201.172:80

Jul 30 04:56:19 securelinux kernel: Packet log: input ACCEPT eth0
PROTO=1 168.120.21.34:11 205.251.201.172:1 L=56 S=0x00 I=47511 F=0x0000
T=105 (#26)

-- snip snip


here is the packet payload from this incident

--snip snip

[**] WEB-IIS cmd.exe access [**]
07/30-04:44:19.144142 168.120.21.34:1241 -> 205.251.201.172:80
TCP TTL:105 TOS:0x0 ID:27758 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0xAB574003 Ack: 0x93A76449 Win: 0x4470 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
63 2B 64 69 72 0D 0A c+dir..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Upon further investigation, I perfomed the following command to find out
what version of the webserver was running.

"telnet 168.120.21.34 80"
and recieved this disturbing reply

C:\WINNT\system32>
C:\WINNT\system32>Cache-Control: bypass-client=205.251.201.172
'Cache-Control:' is not recognized as an internal or external command,
operable program or batch file.

C:\WINNT\system32>
C:\WINNT\system32>Connection: keep-alive
'Connection:' is not recognized as an internal or external command,
operable program or batch file.

C:\WINNT\system32>
C:\WINNT\system32>Via: 1.1 CE-STJH-01-01
'Via:' is not recognized as an internal or external command,
operable program or batch file.

C:\WINNT\system32>
C:\WINNT\system32>X-Forwarded-For: 205.251.201.172
'X-Forwarded-For:' is not recognized as an internal or external command,

operable program or batch file.

C:\WINNT\system32>
C:\WINNT\system32>
C:\WINNT\system32>
C:\WINNT\system32>

It looks like their is a remote backdoor bound to port 80, so when
someone telnets to port 80 on your box, they are dropped into a remote
shell, in this case, the c:\WINNT\System32> prompt giving the
attacker(s) full access to your machine. NOT GOOD!.

As you can see, your machine has been compromised
*NOT BY MYSELF OR ANYONE AFFILIATED WITH ME WHATSOEVER*
most likely by the Microsoft IIS 5.0 "Web Server file request parsing
vulnerability" or
more commonly "Unicode Attack".

Perhaps an intruder manually compromised your machine or it was
compromised by
a code red or code red version 2 worm. Its not clear at this point.

Let me state this one more time, I did not compromise your host, im just
a linux network administrator thats trying to do a good deed here,.

Please contact me ASAP when you recieve this email.

P.S - If you get this emai, dont panic, and DO NOT shutdown your
machine, perform these commands
and save the output to a floppy disk. Your going to want to hunt down
who did this and these following commands will help forensic
investigators

also grab a pen and a notepad, write down the date, time, and every
command your typed, also sign it, date it, and place it with your floppy
disk, then take this evidence to the police.

c:\WINNT\System32> date
c:\WINNT\System32> time
c:\WINNT\System32>netstat -an
c:\WINNT\System32>nbtstat -c
c:\WINNT\System32>dir /t:a /a /s /s:d c:
c:\WINNT\System32>dir /t:w /a /s /o:d c:
c:\WINNT\System32>dir /t:c /a /s /o:d c:
c:\WINNT\System32>fport (www.foundstone.com) download it and run it
c:\WINNT\System32>pslist (www.sysinternals.com) download it and run it
c:\WINNT\System32>Auditpol
c:\WINNT\System32>Loggedon
c:\WINNT\System32>dumpel -t -l system
c:\WINNT\System32>dumpel -t -l application
c:\WINNT\System32>dumpel -t -l security
c:\WINNT\System32>pwdump2
c:\WINNT\System32>regdump

thats about all, remember to download fport and pslist to get a listing
of all the applications running etc.
remember to save the output of each command to a floppy disk.

remember to write down EXACTLY what you did, what you typed, the date,
the time etc..

Im sorry I had to be the bearer of bad news

contact me soon if you require further assistance

Your Truly

Kurt Pomeroy






-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBD0+r2ARBACDWVzsIlLjOrAQocpiI1vs/aYuOHBEbWRNCBpL6lku8bhjFgrh
P79Qw0jAhyjOy7w+SyeHyAT/AcSd5vW0X4Q92TcVUrLjTK7GHsabWoB2aRfLTyMW
nSlfVQTL7XKKlCBKMAWbI5+C/jxZAXX2/f1iiI29WyQkBj9McJAFplLmLwCgqyQL
Dtr0cA27w5xPpz6HTB76e2kD/2Ph1Z7olEApgIRtz2t+nefF4mwGnn1CgsuxQq4+
GMewniLJ3lRc4vaPm4imuJJhwCeEmziUmItco5Vr6Yx+0faiJwtIceM56RfoMv6A
4+Q19e+bD+/hsjsAEuoUSbZbc4MXsEIYCEBbDiD2URZWP6nSRLAGyHTzlHGbaXU7
0q1TA/9mEPPS8P77q3a6kIg4PT7MYc3N+V4ndRyFcUAuz3/oD8CzBmYe6emtauyY
8DA1okG3W5VwVfJ2rUS9jCUS3Z6yCeso3MVBebw9LUnz6/+zt1QnYc/siFAwKKJ5
QGIvtFKdcgaC/7zqxds9m1XVROWuyIp1JwIF3rg3lLrDAAgBn7RGS3VydCBKb3Nl
cGggUG9tZXJveSAoU2xhY2t3YXJlIExpbnV4IFIweCkgPGtwb21lcm95QHJvYWRy
dW5uZXIubmYubmV0PohdBBMRAgAdBQI9Pq9gBQkA7U4ABQsHCgMEAxUDAgMWAgEC
F4AACgkQiBk34NC0flzNgACgg8LriHbf6KJgTJLdXNH9cf79L6MAmgL6Du4GlGvo
4yFYFuBaOVkrhSe2uQINBD0+r5YQCADQqQgh1fDJQfoR60HgjFPiseN4UMchygsR
P+YGFn3kjEPlNfoeVpg3nlDOrh8LlMjGrdE7NORcbnbsPRwACsdGLcoI4QpmAokL
OVuaoqa1t91IZeTj/+ll26g1CZ3+vFbpCdLhWKcSatcFrUrKFcTKRF9i9bIiukpW
osjxkPvK7TehFuV07A7E3Gom1NEgT9j5LC5hlRhTnGaVu/3SJ+Lfwqhkt+OFuULW
GWoND3lWUJaBshjK/GA1yCp4QSO1FeJScGRwCI1dq5gdVH5tRo07K7Qw1GtDYnyV
PG7Bzg1PzEhtNHPQhUiKE4yzyy9pD2nberkBPudnxsQGoXFYm3AjAAMFB/0VNMRC
2mq7zx8RF49tbTXhxdYTw0Wc0jO48WXPJ1jrxzZOupcBTpLoW+dQFHe67kN5R7rw
kVad6QKfb3R4NXzWRK8ayyAxOMn0ePehiv6VACMeq++k/VTenFB441dTsOe4M+72
WH6wri/NPYwysP4fKPwu25B4xHCx+QSbO2PhtSZvYPCL6/dhSHMIZSFimq3tB8Dy
wrECvEnFYzYF9soB9c987VQqDv1iDZ3xftGoZgeFzZ0TemYrkS/LS3gjgGHDSe7a
xv4ytpECPj53is7gZ6rS3NZEDUQJjUZef7aXM4XxejUGA8YArvEQpYfrMdGjSY6q
SLmCj6LQEn2RZPIDiEwEGBECAAwFAj0+r5YFCQDtTgAACgkQiBk34NC0flyWXQCf
bCkx9y6thVV1IH7axj40HtUJQs0Ani1oGjhJ9G2Bl3iNsAyWJOv4zL4z
=thP9
-----END PGP PUBLIC KEY BLOCK-----