They used tftp, to upload a "DL.exe" to your server. It's probably a
backdoor. But Don't delete it right-away. You can screw up your system.
Because it may attach itself to some other "critical" files.

If I were you, I would create another partition, Install IIS on the "other"
partition, don't install NT on the same partition as IIS. That's why they
had access to your WINNT directory.

Make sure you get latest hotfixes from Microsoft. For IIS of course. I'm
sure you'll get some replies that are way more detailed than mine....But
it's worth a shot. See ya,

                        -Fab
----- Original Message -----
From: Jack Lyons <jack.lyonsMARTINAGENCY.COM>
To: <FOCUS-MSSECURITYFOCUS.COM>
Sent: Tuesday, March 20, 2001 1:18 PM
Subject: One of our sites had problem yesterday afternoon...

> It appears that someone was able to install a program that caused the
server
> to hit 100% CPU Utilization. The program was DL.EXE.
>
> After cleaning off the system and applying hotfixes, patches, and other
> fixes based on recommendations in this mailling list, I went through the
> logs and saw some suspicious activity in the web logs... here is a snippet
>
> 00:04:14 62.157.45.35 GET /scripts/../../winnt/system32/cmd.exe 200
> 00:04:16 62.157.45.35 GET /scripts/../../winnt/system32/attrib.exe 502
> 00:04:18 62.157.45.35 GET /scripts/../../winnt/system32/cmd.exe 502
> 00:04:21 62.157.45.35 GET /scripts/../../winnt/system32/tftp.exe 502
> 00:04:24 62.157.45.35 GET /scripts/E.asp 200
> 00:04:26 62.157.45.35 GET /scripts/../../winnt/system32/attrib.exe 502
> 00:04:30 62.157.45.35 GET /scripts/../../winnt/system32/cmd.exe 502
>
> I have two questions
> 1) What are they doing with the first line
> 2) How can I look at my logs and identify what vulnerability was
exploited.
>
> Thanks
> Jack
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]