Hi all, Was wondering if anyone is aware of an IIS FTP server exploit that allows an attacker the read/write access of a single given legimate user's folders and also zeroes the log file? I've just seen this behaviour on a box running Win2K Advanced Server SP2 and IIS 5. The box hosts many websites, one of which was defaced; looking at the web logs I see no suspicious activity at all (no POST attempts even - the site's fairly simple and doesn't need POST at all - also no FrontPage). Checking the FTP logs, which is the site's owner's only way in, I see the log for when the attack happened (on hourly rotation) is precisely 64Kb of 00h. Is this "just" a cunning FTP server exploit or, given the nature of the logfile, should I be concerned that a higher level of access to the box has been acheived? In logs for the days prior to the compromise I see connections to the FTP server that are certainly odd but don't match a brute force attack fingerprint: <snip> 02:08:50 81.65.186.118 anonymousat_private MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [27]USER anonymousat_private - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymousat_private MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [28]USER anonymousat_private - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymousat_private MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [29]USER anonymousat_private - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymousat_private MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [30]USER anonymousat_private - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - - 530 1326 0 0 235 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - - 530 1326 0 0 219 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - - 530 1326 0 0 219 FTP - - - - <snip> There was a LOT of those, all very fast like a DoS attempt. Other usernames I was seeing in a similar DoS fashion from the same time and IP were Ogpuserat_private, Kgpuserat_private, and Lgpuserat_private Anyone know of a kiddie tool that uses these names? Incidentally, from the WHOIS on that IP: inetnum: 81.64.0.0 - 81.67.255.255 netname: FR-CYBERCABLE-20020103 descr: LYONNAISE COMMUNICATIONS PROVIDER Local Registry country: FR admin-c: LC220-RIPE tech-c: LC224-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: AS6678-MNT mnt-routes: AS6678-MNT changed: hostmasterat_private 20020103 changed: hostmasterat_private 20020108 source: RIPE That's not the only IP these DoS-ish requests came from; going through the others now. Wondering if I'm dealing with two seperate incidents here, the defacement and a seperate DoS or DDoS. Any advice or guidance appreciated. Best regards, Iain C -- Iain Craig -- Iain Craig - Systems Administrator Gael.net Ltd - Web Developers & Internet Consultants Telematic Centre, Broom Place, Dunvegan Road, Portree, Isle of Skye Scotland IV51 9HL t: +44 (0)1478 613 300 f: +44 (0)1478 614 929 e: i.craigat_private w: www.gael.net Need "Instant Web Publishing"? Try www.sitekit.net Need "Instant E-commerce"? Try www.shopkit.net Need effective e-marketing services? Try www.promokit.net The 2001 Highland & Islands Business Awards - Technology Award Winner ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 09:25:03 PDT