Well, not too much info here - regrettably my snort rules file got zeroed out when whitehats.com changed their format. So, all I have is my IIS logs - however, it's pretty straightforward what happened: 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200 19:01:02 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 502 19:01:06 210.45.192.25 GET /scripts/root.exe 502 19:01:10 210.45.192.25 GET /scripts/root.exe 502 19:01:14 210.45.192.25 GET /scripts/root.exe 502 19:01:14 210.45.192.25 GET /scripts/root.exe 502 That goes on for quite some time - it ended up creating several files in every directory on the website - index.asp, index.htm, default.asp, and default.htm. IP address resolves to a university in China, so I suspect the odds of getting assistance are about nil. Moral of the story: I upgraded to SP6A on this NT4 box 10 days ago. Running IIS 4.0 still. I assumed that SP's applied patches to the web server as well as the OS - either this isn't the case, or something new developed in those last 10 days. Conveniently, I had already setup a Linux box to replace this IIS server, and had copied over the entire site just two days prior to the attack. I _will_ be keeping better track of Apache and php exploits, since I really don't want this to happen again :) -- Chris Hobbs Silver Valley Unified School District Head geek: Technology Services Coordinator webmaster: http://www.silvervalley.k12.ca.us/chobbs/ postmaster: chobbsat_private
This archive was generated by hypermail 2b30 : Tue May 08 2001 - 20:00:17 PDT