|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: frontpage extensions; backdoor or initial compromise?
From: Jordan Wiens (jwiens
nersp.nerdc.ufl.edu)
Date: Thu Jul 03 2003 - 14:06:34 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Win2k Pro, IIS, I double checked the admins patches and it looks like he
had everything he should have had.
The system log had nothing for the time period in question, and the
application log had the following items of note:
7/1/2003 4:29:29 PM AlertManager Error None 770 N/A MACHINENAME "Alert Manager could not send an alert message. Device type: ""Network Message"" Intended recipient: ""\\MACHINE"" Message: ""The file C:\Inetpub\wwwroot\svchost.exe is infected with ServU-Daemon Virus. The file was successfully deleted.(from MACHINE IP aaa.bbb.ccc.ddd user MACHINE\IUSR_MACHINE running NetShield 2000 4.5 OAS)"" "
(repeated a few times)
7/1/2003 4:25:44 PM Active Server Pages Information None 3 N/A MACHINENAME Service started.
The security log was blank.
--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061
On Thu, 3 Jul 2003, James Tollerson wrote:
> What OS have you seen this happen on? What information is the event log
> showing?
>
> James Tollerson
>
>
> -----Original Message-----
> From: Jordan Wiens [mailto:jwiensnersp.nerdc.ufl.edu]
> Sent: Wednesday, July 02, 2003 1:09 PM
> To: incidentssecurityfocus.com
> Subject: frontpage extensions; backdoor or initial compromise?
>
> We had a recent compromise that our IDS did not detect, however, it did
> detect subsequent backdoor activity and a few other packets afterwards
> that alerted us to the compromise. Upon closer investigation of the
> activity, some of the additional information logged showed some
> frontpage
> extensions being used in an interesting way. Anyone else seen this?
>
> Since we were unable to determine the initial compromise method, I'm
> trying to figure out if this was purely used as a backdoor, or might
> also
> have been the same method as the initial compromise.
>
> Some additional background info; the svchost.exe is a renamed servu ftp
> daemon process that was loaded into the server along with a few other,
> 'normal' backdoor tools.
>
>
----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
world's premier technical IT security event! 10 tracks, 15 training sessions,
1,800 delegates from 30 nations including all of the top experts, from CSO's to
"underground" security specialists. See for yourself what the buzz is about!
Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]