OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Matthew.Brownpredictive.com
Date: Wed Jun 05 2002 - 12:33:34 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Lain

            I haven't run across this in the wild. Just wanted to let you know
    that this isn't the first time I've seen more than just scripts coming
    from the RIPE.NET domain out of Deutschland (Germany). I've seen it on at
    least two incidents I've been on over the past six months.

    Thanks,
    Matthew Brown, CISSP, SSCP
    Principal Security Consultant
    Predictive Systems

    "Iain Craig" <i.craiggael.net>
    06/05/2002 01:40 AM

     
            To: <forensicssecurityfocus.com>
            cc: <incidentssecurityfocus.com>
            Subject: [incident] IIS defacement through FTP, possible DoS

    Hi all,

    Was wondering if anyone is aware of an IIS FTP server exploit that allows
    an attacker the read/write access of a single given legimate user's
    folders and also zeroes the log file?

    I've just seen this behaviour on a box running Win2K Advanced Server SP2
    and IIS 5.

    The box hosts many websites, one of which was defaced; looking at the web
    logs I see no suspicious activity at all (no POST attempts even - the
    site's fairly simple and doesn't need POST at all - also no FrontPage).
    Checking the FTP logs, which is the site's owner's only way in, I see the
    log for when the attack happened (on hourly rotation) is precisely 64Kb of
    00h.

    Is this "just" a cunning FTP server exploit or, given the nature of the
    logfile, should I be concerned that a higher level of access to the box
    has been acheived?

    In logs for the days prior to the compromise I see connections to the FTP
    server that are certainly odd but don't match a brute force attack
    fingerprint:

    <snip>
    02:08:50 81.65.186.118 anonymousftp.microsoft.com MSFTPSVC1 BOXNAME
    IP.OF.THE.BOX 21 [27]USER anonymousftp.microsoft.com - 331 0 0 0 0 FTP -
    - - -
    02:08:50 81.65.186.118 anonymousftp.microsoft.com MSFTPSVC1 BOXNAME
    IP.OF.THE.BOX 21 [28]USER anonymousftp.microsoft.com - 331 0 0 0 0 FTP -
    - - -
    02:08:50 81.65.186.118 anonymousftp.microsoft.com MSFTPSVC1 BOXNAME
    IP.OF.THE.BOX 21 [29]USER anonymousftp.microsoft.com - 331 0 0 0 0 FTP -
    - - -
    02:08:50 81.65.186.118 anonymousftp.microsoft.com MSFTPSVC1 BOXNAME
    IP.OF.THE.BOX 21 [30]USER anonymousftp.microsoft.com - 331 0 0 0 0 FTP -
    - - -
    02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - -
    530 1326 0 0 235 FTP - - - -
    02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - -
    530 1326 0 0 219 FTP - - - -
    02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - -
    530 1326 0 0 219 FTP - - - -
    <snip>

    There was a LOT of those, all very fast like a DoS attempt. Other
    usernames I was seeing in a similar DoS fashion from the same time and IP
    were Ogpuserhome.com, Kgpuserhome.com, and Lgpuserhome.com

    Anyone know of a kiddie tool that uses these names?

    Incidentally, from the WHOIS on that IP:

    inetnum: 81.64.0.0 - 81.67.255.255
    netname: FR-CYBERCABLE-20020103
    descr: LYONNAISE COMMUNICATIONS
                           PROVIDER Local Registry
    country: FR
    admin-c: LC220-RIPE
    tech-c: LC224-RIPE
    status: ALLOCATED PA
    mnt-by: RIPE-NCC-HM-MNT
    mnt-lower: AS6678-MNT
    mnt-routes: AS6678-MNT
    changed: hostmasterripe.net 20020103
    changed: hostmasterripe.net 20020108
    source: RIPE

    That's not the only IP these DoS-ish requests came from; going through the
    others now. Wondering if I'm dealing with two seperate incidents here, the
    defacement and a seperate DoS or DDoS.

    Any advice or guidance appreciated.

    Best regards,
    Iain C

    -- 
    Iain Craig
    

    -- Iain Craig - Systems Administrator

    Gael.net Ltd - Web Developers & Internet Consultants Telematic Centre, Broom Place, Dunvegan Road, Portree, Isle of Skye Scotland IV51 9HL

    t: +44 (0)1478 613 300 f: +44 (0)1478 614 929 e: i.craiggael.net w: www.gael.net

    Need "Instant Web Publishing"? Try www.sitekit.net Need "Instant E-commerce"? Try www.shopkit.net Need effective e-marketing services? Try www.promokit.net

    The 2001 Highland & Islands Business Awards - Technology Award Winner

    ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

    ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com