----->%-----snip----->%----- >Very likely, they copied winnt\system32\cmd.exe to >\scripts\dr.exe. If you check file sizes and dates >modified, they should be identical. The reason why is >because they cannot run cmd.exe from the system32 >directory, they have to run it from the scripts folder >(I think. Can anyone else confirm this?). No, you can run cmd.exe, but there are some limitations on what you can do with it. For example, you can't do this: http://xx.xx.xx.xx/scripts/..%c0%af..%c0%afwinnt/system32/cmd.exe?/c+echo+0wned+3w3!+>+c:\inetpub\wwwroot\default.asp That's why you first copy cmd.exe to some other name in the webroot. :) ----->%-----snip----->%----- > Any advice would be much appreciated - a couple of > our boxes seem to have > been exploited using a directory traversal > vulnerabiltiy, by uploading a file > called "dr.exe", and then passing this commands to > remove files from the box. Do you see anything in the logs that would indicate dr.exe was actually uploaded from somewhere, and it's not actually a copy of cmd.exe? ----->%-----snip----->%----- > The attacked boxes did have all the latest patches > applied to them, and I > double checked this during the code red crisis, and > applied any that were > missing. The Unicode patch has been out since mid-October 2000 (MS00-078), so if you've applied that patch a Unicode attack wouldn't work. Unless they used double encoding, but that patch has been out since 14 May 2001 (MS01-026). Can you tell which, if either, of these two methods were used? Reverend Lola The Titanium Sheep Provider of Steel Wool Defender of the Fleeceless PS - MS bulletins and patches (URLs may be wrapped): MS00-078 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS00-078.asp MS01-026 - http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-026.asp __________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 13:56:28 PDT