automatic hacking tool for IIS?

From: Matt Andreko (mandrekoat_private)
Date: Wed Jun 19 2002 - 07:37:44 PDT

Next message: Barry Kostjens: "Re: New script-kiddie looking scan"

Previous message: Grimes, Shawn (NIA/IRP): "ICMP Destination Unreachable in SNORT"
Next in thread: Patrick Andry: "Re: automatic hacking tool for IIS?"
Reply: Patrick Andry: "Re: automatic hacking tool for IIS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I have recently seen a few computers at a client site, that have been
compromised, apparently because of unpatched IIS servers.  I mainly
assumed that they were just done all together, since they had the same
"style" of break-in.  Some IIS hack was done, and a copy of ServU was
uploaded, and ran on port 2002.  (The ServU config file is at the bottom
of this email).  All the files were stored in
"c:\inetpub\iissamples\homepage\themes\journal\file\move\up\".  The
messages for the FTP server state "Hacked by Hollowman for Rotter
Board".
Then I was at another client site, and saw a machine compromised the
exact same way, and thought it to be more than a coincidence.  I believe
that there is an automated tool going around to auto-hack IIS machines
that are open, and make them a public dump site for warez (pirated
software WAS found on these machines, in the folder listed above)

Does anyone know if this is some automated attack roaming on the net by
script kiddiez, or are there just a lot of people hacking machines the
exact same way?


ServUDaemon.ini
------------------------------------------------------------------------
----
[GLOBAL]
Version=4.0.0.4
RegistrationKey=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAawEEBDktuDznA+cD
AgABYQdhQGEuY29tB0VDTGlQU0UA
MaxNrUsers=5
PacketTimeOut=300
ProcessID=1520
[DOMAINS]
Domain1=0.0.0.0||2002|Hollowman|1
[Domain1]
MaxNrUsers=5
User1=hollowman|1|0
SignOn=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Welcom
e Messege.txt
SignOff=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Goodb
ye Messege.txt
DirChangeMesFile=c:\Inetpub\iissamples\homepage\themes\journal\file\move
\up\change.txt
User2=sex|0|0
User3=icecube|1|0
[USER=sex|1]
Password=bcC6ECF2C13C81AFBFEB067B916C106F1C
HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home
directory
Enable=0
RelPaths=1
TimeOut=600
Access1=c:\Inetpub\iissamples\homepage\themes\journal\file\move\up\Home
Directory|WALCP
[USER=hollowman|1]
Password=dcC28CE15107FD18DD212A029CFC1D11B2
HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home
directory
Maintenance=System
Access1=\|RWAMELCDP
[USER=icecube|1]
Password=dm2D5C549C70218799A6559276FA0FD309
HomeDir=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home
directory
RelPaths=1
TimeOut=600
Access1=c:\inetpub\iissamples\homepage\themes\journal\file\move\up\home
directory|WALCP
------------------------------------------------------------------------
----


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Barry Kostjens: "Re: New script-kiddie looking scan"
Previous message: Grimes, Shawn (NIA/IRP): "ICMP Destination Unreachable in SNORT"
Next in thread: Patrick Andry: "Re: automatic hacking tool for IIS?"
Reply: Patrick Andry: "Re: automatic hacking tool for IIS?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 09:12:35 PDT