howdy folks, figured i'd weigh in and let everyone know what i've been seeing. yesterday and today have been crazy. i only assume these are attacks from chinese because of the anti-US sentiment diplayed on the defaced pages: "fuck USA Government fuck PoizonBOx contact:sysadmcnat_private" anyway, it has been a flurry of unicode exploits. The thing i've found about these attacks is that even thought they are coming from all sorts of geographically dispersed systems, they are all default looking installs of solaris, with a root shell bound to port 600. My solaris rootkit knowledge is a bit rusty...anyone know of rootkits that bind shells to port 600? i also got a copy of the files on one of the hacked host. they resided in /dev/cuc and also seemed to store its data in /dev/cub. also grabbb is running. if anyone wants a copy of what i got from the attacking machine drop me a line and i'll tar it up for you. so i guess this was more of an analysis of the attacking machines rahter than the victim machines, but the victim machines are rather bland. Unicode exploit, copy C:\winnt\system32\cmd.exe to /scripts/root.exe and then do a echo into the homepage. pretty bland. they seem to be launching these attacks against anything listening on port 80...whatever happened to the script kiddie that _new_ what OS they were attacking? sheesh. ~ qarl <EOF> ================================================ Karl Hill | Computer Specialist 970.295.5293 | USDA Office of Cyber Security "...firewalls are speed bumps not brick walls." -----Original Message----- From: Paul Rogers [mailto:paul.rogers@MIS-CDS.COM] Sent: Thursday, May 03, 2001 7:18 AM To: INCIDENTSat_private Subject: Re: [INCIDENTS] What "methods" are being used -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > James Meritt wrote: > > A variety of web defacements reportedly originating with the > Chinese are > being reported. Anyone know what method(s) are being used? If you want some useful statistics and some basic reconnaissance information, I personally use www.alldas.de (this is nothing to do with us) because they banner check and nmap the host when it is added to the archive. That way you can usually hazard an educated guess on how the page was defaced. Since the majority of boxes are running IIS4/5, RDS / MSADC, Unicode and MS-Sql seem to be the favourite. I guess as soon as a working exploit for the ISAPI Printer issue in IIS5 makes a rather public appearance, the defacers worldwide will be using that too. > Keith McCammon wrote: > > I've also been noticing a large number of anonymous FTP > checks in the last > two days. - From what we've seen - Holland has been the favourite source of scans for FTP recently; RPC scans typically originate from Eastern Asia and South America. Cheerio, Paul Rogers, Network Security Analyst. MIS Corporate Defence Solutions Limited Tel: +44 (0)1622 723422 (Direct Line) +44 (0)1622 723400 (Switchboard) Fax: +44 (0)1622 728580 Website: http://www.mis-cds.com/ -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBOvFbSrnKcoQ5QY/3EQKIFACePSHNzaCDm6cvfVgFbPpRsMFMoIMAoITy 77CA/7pQ+FEl7nG2Wexd9yWw =7v/N -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed May 09 2001 - 22:26:42 PDT