I've run into one of these machines. It made a single request for "/scripts/..%5c%5c../winnt/system32/cmd.exe". Some research on the box showed it to be an unadministered NT box. Being as it seemed to be a forgotten child, I portscanned it, telnetted to some of the open ports, and found the exact same thing. Serve_u on port 2002, box vulnerable to unicode exploit. The FTP message differed, which leads me now to believe that it's a tool making the rounds. Matt Andreko wrote: > I have recently seen a few computers at a client site, that have been > compromised, apparently because of unpatched IIS servers. I mainly > assumed that they were just done all together, since they had the same > "style" of break-in. Some IIS hack was done, and a copy of ServU was > uploaded, and ran on port 2002. (The ServU config file is at the bottom > of this email). All the files were stored in > "c:\inetpub\iissamples\homepage\themes\journal\file\move\up\". The > messages for the FTP server state "Hacked by Hollowman for Rotter > Board". > Then I was at another client site, and saw a machine compromised the > exact same way, and thought it to be more than a coincidence. I believe > that there is an automated tool going around to auto-hack IIS machines > that are open, and make them a public dump site for warez (pirated > software WAS found on these machines, in the folder listed above) > > Does anyone know if this is some automated attack roaming on the net by > script kiddiez, or are there just a lot of people hacking machines the > exact same way? ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 19 2002 - 17:26:15 PDT