-
July 30th, 2002, 09:25 PM
#1
Junior Member
IIS/5.0 Attacked my Host - Sent email to admin
hey guys, just wondering if this was ok to send to an admin in Thailand whos IIS/5.0
system tried to attack my Apache 1.3.26 box (the banner was hacked to say Microsoft IIS/5.0) heheeh
naughty admin i am.
Hello,
You do not know me but today my system recieved the following alert
that appears to come from your box.
-- snip snip
Jul 30 04:44:19 securelinux snort[180]: [1:1002:2] WEB-IIS cmd.exe
access [Classification: Web Application Attack] [Priority: 1]: {TCP}
168.120.21.34:1241 -> 205.251.201.172:80
Jul 30 04:56:19 securelinux kernel: Packet log: input ACCEPT eth0
PROTO=1 168.120.21.34:11 205.251.201.172:1 L=56 S=0x00 I=47511 F=0x0000
T=105 (#26)
-- snip snip
here is the packet payload from this incident
--snip snip
[**] WEB-IIS cmd.exe access [**]
07/30-04:44:19.144142 168.120.21.34:1241 -> 205.251.201.172:80
TCP TTL:105 TOS:0x0 ID:27758 IpLen:20 DgmLen:99 DF
***AP*** Seq: 0xAB574003 Ack: 0x93A76449 Win: 0x4470 TcpLen: 20
47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..%
35 63 25 35 63 2E 2E 2F 77 69 6E 6E 74 2F 73 79 5c%5c../winnt/sy
73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/
63 2B 64 69 72 0D 0A c+dir..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Upon further investigation, I perfomed the following command to find out
what version of the webserver was running.
"telnet 168.120.21.34 80"
and recieved this disturbing reply
C:\WINNT\system32>
C:\WINNT\system32>Cache-Control: bypass-client=205.251.201.172
'Cache-Control:' is not recognized as an internal or external command,
operable program or batch file.
C:\WINNT\system32>
C:\WINNT\system32>Connection: keep-alive
'Connection:' is not recognized as an internal or external command,
operable program or batch file.
C:\WINNT\system32>
C:\WINNT\system32>Via: 1.1 CE-STJH-01-01
'Via:' is not recognized as an internal or external command,
operable program or batch file.
C:\WINNT\system32>
C:\WINNT\system32>X-Forwarded-For: 205.251.201.172
'X-Forwarded-For:' is not recognized as an internal or external command,
operable program or batch file.
C:\WINNT\system32>
C:\WINNT\system32>
C:\WINNT\system32>
C:\WINNT\system32>
It looks like their is a remote backdoor bound to port 80, so when
someone telnets to port 80 on your box, they are dropped into a remote
shell, in this case, the c:\WINNT\System32> prompt giving the
attacker(s) full access to your machine. NOT GOOD!.
As you can see, your machine has been compromised
*NOT BY MYSELF OR ANYONE AFFILIATED WITH ME WHATSOEVER*
most likely by the Microsoft IIS 5.0 "Web Server file request parsing
vulnerability" or
more commonly "Unicode Attack".
Perhaps an intruder manually compromised your machine or it was
compromised by
a code red or code red version 2 worm. Its not clear at this point.
Let me state this one more time, I did not compromise your host, im just
a linux network administrator thats trying to do a good deed here,.
Please contact me ASAP when you recieve this email.
P.S - If you get this emai, dont panic, and DO NOT shutdown your
machine, perform these commands
and save the output to a floppy disk. Your going to want to hunt down
who did this and these following commands will help forensic
investigators
also grab a pen and a notepad, write down the date, time, and every
command your typed, also sign it, date it, and place it with your floppy
disk, then take this evidence to the police.
c:\WINNT\System32> date
c:\WINNT\System32> time
c:\WINNT\System32>netstat -an
c:\WINNT\System32>nbtstat -c
c:\WINNT\System32>dir /t:a /a /s /s:d c:
c:\WINNT\System32>dir /t:w /a /s /o:d c:
c:\WINNT\System32>dir /t:c /a /s /o:d c:
c:\WINNT\System32>fport (www.foundstone.com) download it and run it
c:\WINNT\System32>pslist (www.sysinternals.com) download it and run it
c:\WINNT\System32>Auditpol
c:\WINNT\System32>Loggedon
c:\WINNT\System32>dumpel -t -l system
c:\WINNT\System32>dumpel -t -l application
c:\WINNT\System32>dumpel -t -l security
c:\WINNT\System32>pwdump2
c:\WINNT\System32>regdump
thats about all, remember to download fport and pslist to get a listing
of all the applications running etc.
remember to save the output of each command to a floppy disk.
remember to write down EXACTLY what you did, what you typed, the date,
the time etc..
Im sorry I had to be the bearer of bad news
contact me soon if you require further assistance
Your Truly
Kurt Pomeroy
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
mQGiBD0+r2ARBACDWVzsIlLjOrAQocpiI1vs/aYuOHBEbWRNCBpL6lku8bhjFgrh
P79Qw0jAhyjOy7w+SyeHyAT/AcSd5vW0X4Q92TcVUrLjTK7GHsabWoB2aRfLTyMW
nSlfVQTL7XKKlCBKMAWbI5+C/jxZAXX2/f1iiI29WyQkBj9McJAFplLmLwCgqyQL
Dtr0cA27w5xPpz6HTB76e2kD/2Ph1Z7olEApgIRtz2t+nefF4mwGnn1CgsuxQq4+
GMewniLJ3lRc4vaPm4imuJJhwCeEmziUmItco5Vr6Yx+0faiJwtIceM56RfoMv6A
4+Q19e+bD+/hsjsAEuoUSbZbc4MXsEIYCEBbDiD2URZWP6nSRLAGyHTzlHGbaXU7
0q1TA/9mEPPS8P77q3a6kIg4PT7MYc3N+V4ndRyFcUAuz3/oD8CzBmYe6emtauyY
8DA1okG3W5VwVfJ2rUS9jCUS3Z6yCeso3MVBebw9LUnz6/+zt1QnYc/siFAwKKJ5
QGIvtFKdcgaC/7zqxds9m1XVROWuyIp1JwIF3rg3lLrDAAgBn7RGS3VydCBKb3Nl
cGggUG9tZXJveSAoU2xhY2t3YXJlIExpbnV4IFIweCkgPGtwb21lcm95QHJvYWRy
dW5uZXIubmYubmV0PohdBBMRAgAdBQI9Pq9gBQkA7U4ABQsHCgMEAxUDAgMWAgEC
F4AACgkQiBk34NC0flzNgACgg8LriHbf6KJgTJLdXNH9cf79L6MAmgL6Du4GlGvo
4yFYFuBaOVkrhSe2uQINBD0+r5YQCADQqQgh1fDJQfoR60HgjFPiseN4UMchygsR
P+YGFn3kjEPlNfoeVpg3nlDOrh8LlMjGrdE7NORcbnbsPRwACsdGLcoI4QpmAokL
OVuaoqa1t91IZeTj/+ll26g1CZ3+vFbpCdLhWKcSatcFrUrKFcTKRF9i9bIiukpW
osjxkPvK7TehFuV07A7E3Gom1NEgT9j5LC5hlRhTnGaVu/3SJ+Lfwqhkt+OFuULW
GWoND3lWUJaBshjK/GA1yCp4QSO1FeJScGRwCI1dq5gdVH5tRo07K7Qw1GtDYnyV
PG7Bzg1PzEhtNHPQhUiKE4yzyy9pD2nberkBPudnxsQGoXFYm3AjAAMFB/0VNMRC
2mq7zx8RF49tbTXhxdYTw0Wc0jO48WXPJ1jrxzZOupcBTpLoW+dQFHe67kN5R7rw
kVad6QKfb3R4NXzWRK8ayyAxOMn0ePehiv6VACMeq++k/VTenFB441dTsOe4M+72
WH6wri/NPYwysP4fKPwu25B4xHCx+QSbO2PhtSZvYPCL6/dhSHMIZSFimq3tB8Dy
wrECvEnFYzYF9soB9c987VQqDv1iDZ3xftGoZgeFzZ0TemYrkS/LS3gjgGHDSe7a
xv4ytpECPj53is7gZ6rS3NZEDUQJjUZef7aXM4XxejUGA8YArvEQpYfrMdGjSY6q
SLmCj6LQEn2RZPIDiEwEGBECAAwFAj0+r5YFCQDtTgAACgkQiBk34NC0flyWXQCf
bCkx9y6thVV1IH7axj40HtUJQs0Ani1oGjhJ9G2Bl3iNsAyWJOv4zL4z
=thP9
-----END PGP PUBLIC KEY BLOCK-----
-
July 30th, 2002, 10:35 PM
#2
yea that should about cover it. I doubt person will go to the authorities but i hope he/she at least fixes the problem. I went to the site in browser and got pretty much the same thing. Could not connect threw telnet though. I might have just messed up but i dont really have the time to keep trying. Anyways interesting read
Later
Oh yea screen shot is below if you want to see it
*****UPDATE******
The server is actually down now so I am assuming that they got your email and just turned the box off.
Violence breeds violence
we need a world court
not a republican with his hands covered in oil and military hardware lecturing us on world security!
-
July 31st, 2002, 09:17 PM
#3
thats not an attack....thats a virus...... one of the code red(nimda) etc viruses.......
Antionline in a nutshell
\"You\'re putting the fate of the world in the hands of a bunch of idiots I wouldn\'t trust with a potato gun\"
Trust your Technolust
-
August 7th, 2002, 04:10 PM
#4
it a virus like hogfly sad..... ith you it have tryed the "unicode bug" an old exploit......
Read my littel How To:
http://home1.stofanet.dk/truti/phpsi...ck_iis_4_5.txt
Enjoy!
Truti
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|