A little more info to add about the IIS part of the attack... The following files were created in C:\ 05/07/01 05:41a 289 default.asp 05/07/01 05:41a 289 default.htm 05/07/01 05:41a 289 index.asp 05/07/01 05:41a 289 index.htm The same files were created in C:\InetPub and every subdirectory under C:\InetPub. A question... How did they automate the creation of these files in every \InetPub subdirectory? I can't think of a simple command line to do that. On 5/5/2001 at 8:33 PM Security, Network wrote: >howdy folks, figured i'd weigh in and let everyone know what i've been >seeing. yesterday and today have been crazy. i only assume these are >attacks >from chinese because of the anti-US sentiment diplayed on the defaced >pages: > >"fuck USA Government > >fuck PoizonBOx > >contact:sysadmcnat_private" > >anyway, it has been a flurry of unicode exploits. The thing i've found >about >these attacks is that even thought they are coming from all sorts of >geographically dispersed systems, they are all default looking installs of >solaris, with a root shell bound to port 600. My solaris rootkit knowledge >is a bit rusty...anyone know of rootkits that bind shells to port 600? i >also got a copy of the files on one of the hacked host. they resided in >/dev/cuc and also seemed to store its data in /dev/cub. also grabbb is >running. if anyone wants a copy of what i got from the attacking machine >drop me a line and i'll tar it up for you. so i guess this was more of an >analysis of the attacking machines rahter than the victim machines, but the >victim machines are rather bland. Unicode exploit, copy >C:\winnt\system32\cmd.exe to /scripts/root.exe and then do a echo into the >homepage. pretty bland. they seem to be launching these attacks against >anything listening on port 80...whatever happened to the script kiddie that >_new_ what OS they were attacking? sheesh. >~ qarl > ><EOF> >================================================ >Karl Hill | Computer Specialist >970.295.5293 | USDA Office of Cyber Security >"...firewalls are speed bumps not brick walls." > >-----Original Message----- >From: Paul Rogers [mailto:paul.rogers@MIS-CDS.COM] >Sent: Thursday, May 03, 2001 7:18 AM >To: INCIDENTSat_private >Subject: Re: [INCIDENTS] What "methods" are being used > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >> James Meritt wrote: >> >> A variety of web defacements reportedly originating with the >> Chinese are >> being reported. Anyone know what method(s) are being used? > >If you want some useful statistics and some basic reconnaissance >information, I personally use www.alldas.de (this is nothing to do >with us) because they banner check and nmap the host when it is added >to the archive. That way you can usually hazard an educated guess on >how the page was defaced. Since the majority of boxes are running >IIS4/5, RDS / MSADC, Unicode and MS-Sql seem to be the favourite. I >guess as soon as a working exploit for the ISAPI Printer issue in >IIS5 makes a rather public appearance, the defacers worldwide will be >using that too. > >> Keith McCammon wrote: >> >> I've also been noticing a large number of anonymous FTP >> checks in the last >> two days. > >- From what we've seen - Holland has been the favourite source of scans >for FTP recently; RPC scans typically originate from Eastern Asia and >South America. > >Cheerio, > >Paul Rogers, >Network Security Analyst. > >MIS Corporate Defence Solutions Limited > >Tel: +44 (0)1622 723422 (Direct Line) > +44 (0)1622 723400 (Switchboard) >Fax: +44 (0)1622 728580 >Website: http://www.mis-cds.com/ > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> > >iQA/AwUBOvFbSrnKcoQ5QY/3EQKIFACePSHNzaCDm6cvfVgFbPpRsMFMoIMAoITy >77CA/7pQ+FEl7nG2Wexd9yWw >=7v/N >-----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 16:20:12 PDT