RE: New scanner?

From: Jason Frey (jmfreyat_private)
Date: Fri Nov 22 2002 - 23:02:54 PST

  • Next message: Jonathan Bloomquist: "RE: Proxy server hit... Any ideas?"

    Just because Snort alerts on it doesn't necessarily mean there is a 
    compromised box.
    
    With publicly accessible web servers, your Snort is likely to see hundreds 
    of IIS targeted attacks daily.  These are not false alarms, but they may 
    not be effective attacks either.  If your IIS systems are patched and 
    configured correctly, they may not be compromised.
    
    Still, I would examine the boxes as Jeremy suggests.  Once you are sure 
    they are patched and configured correctly, you can create pass rules for 
    those boxes if you choose to not get alerted with these events for them.
    
    
    At 09:10 PM 11/21/2002 -0500, newsletters wrote:
    >Jeremy,
    >
    >I'm not sure if your serious or not, but this is probably the most
    >common IIS exploit found. Wherever the destination address is located
    >you're going to find IIS and a compromised scripts directory. The
    >command (cmd.exe) interpreter has been renamed and copied to the
    >c:\inetpub\scripts\root.exe and the intruder is using it to gain command
    >line access to your system. This is basically the ultimate goal of a
    >hacker. You need to search the system for root.exe and delete it. In
    >addition you need to check and reset the permissions for C:\inetpub\*.
    >At a minimum change the scripts directory to read only. Do a search on
    >bugtraq for codered II. That should give you a more detailed action
    >plan. My opinion would be to rebuild the box with all current patches
    >and service packs.
    >
    >Good Luck!
    >
    >CB
    >
    >-----Original Message-----
    >From: Jeremy [mailto:prrthd25at_private]
    >Sent: Wednesday, November 20, 2002 10:30 AM
    >To: incidentsat_private
    >Subject: New scanner?
    >
    >Hello all,
    >
    >   My snort box picked this up yesterday fron two
    >different source ip's and I was wondering if anyone
    >had seen this pattern before. Both times snort logged
    >718 alerts consisting of the following:
    >
    >1 instances of WEB-IIS multiple decode attempt
    >1 instances of FTP invalid MODE
    >1 instances of WEB-MISC http directory traversal
    >2 instances of WEB-IIS scripts access
    >2 instances of (spp_portscan2) Portscan detected
    >3 instances of WEB-IIS Unicode2.pl script (File
    >permission canonicalization)
    >6 instances of POLICY FTP anonymous login attempt
    >17 instances of WEB-IIS CodeRed v2 root.exe access
    >685 instances of WEB-IIS cmd.exe access
    >
    >This may have been around awhile but its the first
    >time I've seen it, so I figured I would ask. If this
    >is something new I do have packets captures from all
    >the alerts.
    >
    >Thanks,
    >   Jeremy
    >
    >__________________________________________________
    >Do you Yahoo!?
    >Yahoo! Web Hosting - Let the expert host your site
    >http://webhosting.yahoo.com
    >
    >------------------------------------------------------------------------
    >----
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    >
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Nov 25 2002 - 10:14:59 PST