I have recently seen a few computers at a client site, that have been compromised, apparently because of unpatched IIS servers. I mainly assumed that they were just done all together, since they had the same "style" of break-in. Some IIS hack was done, and a copy of ServU was uploaded, and ran on port 2002. (The ServU config file is at the bottom of this email). All the files were stored in "c:\inetpub\iissamples\homepage\themes\journal\file\move\up\". The messages for the FTP server state "Hacked by Hollowman for Rotter Board". Then I was at another client site, and saw a machine compromised the exact same way, and thought it to be more than a coincidence. I believe that there is an automated tool going around to auto-hack IIS machines that are open, and make them a public dump site for warez (pirated software WAS found on these machines, in the folder listed above) Does anyone know if this is some automated attack roaming on the net by script kiddiez, or are there just a lot of people hacking machines the exact same way? ServUDaemon.ini ------------------------------------------------------------------------ ---- [GLOBAL] Version=4.0.0.4 RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAawEEBDktuDznA+cD AgABYQdhQGEuY29tB0VDTGlQU0UA MaxNrUsers=5 PacketTimeOut=300 ProcessID=1520 [DOMAINS] Domain1=0.0.0.0||2002|Hollowman|1 [Domain1] MaxNrUsers=5 User1=hollowman|1|0 SignOn=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Welcom e Messege.txt SignOff=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Goodb ye Messege.txt DirChangeMesFile=c:\Inetpub\iissamples\homepage\themes\journal\file\move \up\change.txt User2=sex|0|0 User3=icecube|1|0 [USER=sex|1] Password=bcC6ECF2C13C81AFBFEB067B916C106F1C HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home directory Enable=0 RelPaths=1 TimeOut=600 Access1=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Home Directory|WALCP [USER=hollowman|1] Password=dcC28CE15107FD18DD212A029CFC1D11B2 HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home directory Maintenance=System Access1=\|RWAMELCDP [USER=icecube|1] Password=dm2D5C549C70218799A6559276FA0FD309 HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home directory RelPaths=1 TimeOut=600 Access1=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home directory|WALCP ------------------------------------------------------------------------ ---- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:12:35 PDT