RE: New scanner?

From: newsletters (listservat_private)
Date: Thu Nov 21 2002 - 18:10:41 PST

Next message: Emeric Miszti: "Re: Proxy server hit... Any ideas?"

Previous message: Esler, Joel -- Sytex Contractor: "increased attacks on port 2599"
In reply to: Jeremy: "New scanner?"
Next in thread: Jason Frey: "RE: New scanner?"
Next in thread: Russell Fulton: "Re: New scanner?"
Reply: Jason Frey: "RE: New scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Jeremy,

I'm not sure if your serious or not, but this is probably the most
common IIS exploit found. Wherever the destination address is located
you're going to find IIS and a compromised scripts directory. The
command (cmd.exe) interpreter has been renamed and copied to the
c:\inetpub\scripts\root.exe and the intruder is using it to gain command
line access to your system. This is basically the ultimate goal of a
hacker. You need to search the system for root.exe and delete it. In
addition you need to check and reset the permissions for C:\inetpub\*.
At a minimum change the scripts directory to read only. Do a search on
bugtraq for codered II. That should give you a more detailed action
plan. My opinion would be to rebuild the box with all current patches
and service packs. 

Good Luck!

CB

-----Original Message-----
From: Jeremy [mailto:prrthd25at_private] 
Sent: Wednesday, November 20, 2002 10:30 AM
To: incidentsat_private
Subject: New scanner?

Hello all,

  My snort box picked this up yesterday fron two
different source ip's and I was wondering if anyone
had seen this pattern before. Both times snort logged
718 alerts consisting of the following:

1 instances of WEB-IIS multiple decode attempt 
1 instances of FTP invalid MODE 
1 instances of WEB-MISC http directory traversal 
2 instances of WEB-IIS scripts access 
2 instances of (spp_portscan2) Portscan detected 
3 instances of WEB-IIS Unicode2.pl script (File
permission canonicalization) 
6 instances of POLICY FTP anonymous login attempt 
17 instances of WEB-IIS CodeRed v2 root.exe access 
685 instances of WEB-IIS cmd.exe access 

This may have been around awhile but its the first
time I've seen it, so I figured I would ask. If this
is something new I do have packets captures from all
the alerts.

Thanks,
  Jeremy

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Emeric Miszti: "Re: Proxy server hit... Any ideas?"
Previous message: Esler, Joel -- Sytex Contractor: "increased attacks on port 2599"
In reply to: Jeremy: "New scanner?"
Next in thread: Jason Frey: "RE: New scanner?"
Next in thread: Russell Fulton: "Re: New scanner?"
Reply: Jason Frey: "RE: New scanner?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Nov 22 2002 - 22:53:16 PST