OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Mauri Gómez (mgcGTD.ES)
Date: Wed Sep 19 2001 - 04:15:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hi folks,
    I recommend you the new tool that recently has published Microsoft named
    URLScan. I´ve been testing it for two weeks, and it´s very good for prevent
    this kind of attacks.
    You can see a brief description in
    http://www.microsoft.com/technet/security/urlscan.asp
    Regards
    Mauri

    -----Mensaje original-----
    De: Hamilton, Aaron [mailto:ahamiltonNUCO.COM]
    Enviado el: martes, 18 de septiembre de 2001 20:55
    Para: win2ksecadviceLISTSERV.NTSECURITY.NET
    Asunto: Re: Increase of scanning.

    We've been hit, in multiple ways. Apparently the virus is using the web
    traversal vulnerablity and then modifying webpages on the infected server
    such that visitors are prompted to download an email message which contains
    the virus.

    Also after opening the virus with a hex editor it seems that it was modified
    to appear as a .wav file so that users are not prompted to save/download the
    file and instead it is "previewed" by the default app and then infects the
    machine.

    -----Original Message-----
    From: Chad Smykay [mailto:csmykayRACKSPACE.COM]
    Sent: Tuesday, September 18, 2001 1:54 PM
    To: win2ksecadviceLISTSERV.NTSECURITY.NET
    Subject: Increase of scanning.

    Apparently there is a new worm called "nimda". Here is some REALLY general
    info:

    http://www.f-secure.com/v-descs/nimda.shtml

    Other links in regards to this:

    http://www.cert.org/current/current_activity.html#port80

    http://www.cert.org/advisories/CA-2001-11.html

    However I wanted to review what I have found so far. From what I can tell
    there is an "mmc.exe" process or processes that is being run when there is
    NO other users logged in and no such process being spawned.

    Also it appears to be doing NetBIOS scans at the same time it is doing these
    IP range scans. By monitoring a current server that is running this
    exploit. I see about 20-30 "net.exe and "net1.exe" being spawned. Most
    likely they are also trying to do NetBIOS scans either on the current
    network they are on or other IP Ranges.

    The only thing that we can thing to do at this time is to block this traffic
    VIA IDS.

    It also appears that they are attempting to send this new "readme.exe" via
    IIS SMTP Server, but we can not confirm that right now. Anyone?

    Here is a snippet from the log files that if you probably check right now on
    your server you will see:

    <-- Begin Logfile snip
    [Tue Sep 18 08:13:17 2001] [error] [client 195.124.124.237] File does not
    exist: /usr/local/etc/httpd/sites/default.ida
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/MSADC/root.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/c/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/d/winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/c
    md.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist:
    /usr/local/etc/httpd/sites/msadc/..%5c../..%5c../..%5c/..Á ../..Á /..Á ../
    winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Á ../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..À¯../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..Áoe../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%5c../winnt/system32/cmd.exe
    [Tue Sep 18 08:22:19 2001] [error] [client 209.61.190.233] File does not
    exist: /usr/local/etc/httpd/sites/scripts/..%2f../winnt/system32/cmd.exe
    <-- End logfile snip

    Please note that the above is from a Linux Web server but you will see the
    same across the board.

    Here is another snip for a Windows NT server logfile

    <-- Begin log snip
    4:48:02 209.61.190.233 GET /scripts/root.exe 403
    14:48:02 209.61.190.233 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /scripts/root.exe 403
    14:48:31 209.61.187.113 GET /MSADC/root.exe 200
    14:48:31 209.61.187.113 GET /MSADC/root.exe 502
    14:48:31 209.61.187.113 GET /MSADC/Admin.dll 500
    14:48:31 209.61.187.113 GET /c/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /d/winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET
    /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET
    /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe 404
    14:48:31 209.61.187.113 GET /scripts/..Á ../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/../../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..\../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..S5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%5c../winnt/system32/cmd.exe 403
    14:48:31 209.61.187.113 GET /scripts/..%2f../winnt/system32/cmd.exe 403
    <-- End log snip

    If you have ANY addtional info please share with everyone.

    Kind Regards,

    Chad Smykay
    Rackspace Managed Hosting

    ______________________________________
    Chad Smykay
    Sys Admin Complex Division
    Rackspace Managed Hosting
    800-961-4454 ext. 1249.
    ______________________________________

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

    ****** Message scanned for viruses with Mail Essentials 2000 ******

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net