Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Fab Siciliano (fsicilianoEARTHLINK.NET)
Date: Tue Mar 20 2001 - 18:04:34 CST
They used tftp, to upload a "DL.exe" to your server. It's probably a
backdoor. But Don't delete it right-away. You can screw up your system.
Because it may attach itself to some other "critical" files.
If I were you, I would create another partition, Install IIS on the "other"
partition, don't install NT on the same partition as IIS. That's why they
had access to your WINNT directory.
Make sure you get latest hotfixes from Microsoft. For IIS of course. I'm
sure you'll get some replies that are way more detailed than mine....But
it's worth a shot. See ya,
----- Original Message -----
From: Jack Lyons <jack.lyonsMARTINAGENCY.COM>
Sent: Tuesday, March 20, 2001 1:18 PM
Subject: One of our sites had problem yesterday afternoon...
> It appears that someone was able to install a program that caused the
> to hit 100% CPU Utilization. The program was DL.EXE.
> After cleaning off the system and applying hotfixes, patches, and other
> fixes based on recommendations in this mailling list, I went through the
> logs and saw some suspicious activity in the web logs... here is a snippet
> 00:04:14 22.214.171.124 GET /scripts/../../winnt/system32/cmd.exe 200
> 00:04:16 126.96.36.199 GET /scripts/../../winnt/system32/attrib.exe 502
> 00:04:18 188.8.131.52 GET /scripts/../../winnt/system32/cmd.exe 502
> 00:04:21 184.108.40.206 GET /scripts/../../winnt/system32/tftp.exe 502
> 00:04:24 220.127.116.11 GET /scripts/E.asp 200
> 00:04:26 18.104.22.168 GET /scripts/../../winnt/system32/attrib.exe 502
> 00:04:30 22.214.171.124 GET /scripts/../../winnt/system32/cmd.exe 502
> I have two questions
> 1) What are they doing with the first line
> 2) How can I look at my logs and identify what vulnerability was