Re: IIS and leech

From: Ali Gumbs (Alijandro.Gumbsat_private)
Date: Mon Nov 11 2002 - 19:30:26 PST

Next message: craigwillat_private: "new version of aris analyzer?"

Previous message: Owen McCusker: "RE: anoat_private ftpd dip.t-dialin.net"
In reply to: randall perry: "IIS and leech"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

A link to a thread that you should find usefull,  it also has a link to
where you can get dd.exe and netcat.

http://lists.jammed.com/forensics/2002/05/0043.html

Regards,


----- Original Message -----
From: "randall perry" <randallp@domain-logic.com>
To: <incidentsat_private>
Sent: Thursday, November 07, 2002 2:45 PM
Subject: IIS and leech


> Greets.
>
> An IIS box I manage freaked out yesterday.  I initially thought that it
came under attack but after digging through what was left of the crime
scene, it looks like MS is to blame.  The most recent event before the
nightmare began was at 7pm the night was the creation of c:\program
files\WindowsUpdate\wuaudnld.tmp\.  That tells me that an automagic MS
Windows update is what is the root of trashing that ecommerce box that took
all day yesterday to recover (after 2 BSODs trashing it to it to the point
of not having network connectivity) .
>
> If that wouldn't have happened, I probably would not have found the
following:
> hum.exe which is really leech ftp server was installed on the box and
setup as service to start with the box.  I found more than 30 gig of files
(movies, MP3s)  were there under
> d:\i386\winnt[some characters]\system32\system32\ and some funny directory
names.  The movies were broken into 14meg chunks, but had sample avi files
in the directory that showed a short clip of what the movie was.
>
> I have no idea how this got planted there by who.  (only the office
manager and graphics person are the only ones to access the box)
>
> A port scan of the box showed the following ports open
>           |___    21  [ftp]   File Transfer [Control]
> |___    25  [smtp]   Simple Mail Transfer
> |___    80  [http]   World Wide Web HTTP
> |___   135  [epmap]   DCE endpoint resolution
> |___   389  [ldap]   Lightweight Directory Access Protocol
> |___   433  [nnsp]   NNSP
> |___   443  [https]   https  MCom
> |___   445  [microsoft-ds]   Microsoft-DS
> |___  1025  [blackjack]   network blackjack
> |___  1027  [ICQ]   ICQ?
>
> Although typically network blackjack on port 1025, I can assume that was
the leech ftp server controlled through port 1027.  Anyone else see this?
>
> Randall Perry
>
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: craigwillat_private: "new version of aris analyzer?"
Previous message: Owen McCusker: "RE: anoat_private ftpd dip.t-dialin.net"
In reply to: randall perry: "IIS and leech"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Nov 12 2002 - 15:33:38 PST