Re: new attack tool combining SMB and WebDAV?

From: Bill McCarty (bmccartyat_private)
Date: Mon Mar 31 2003 - 14:25:28 PST

  • Next message: Jerry Shenk: "RE: POP3 logon attempts"

    Hi Matt and all,
    
    One of my Windows honeypots has logged this attack. I see both the ICMP 
    datagrams having lower case letters reported by Matt Power and the upper 
    case Es reported by James Slora. The tool succeeded in compromising the 
    honeypot, presumably via the honeypot's weak (actually null) admin 
    password. However, the attack might instead have capitalized on some IIS 
    vulnerability, such as Web-DAV. I haven't found time to analyze the traffic 
    or host in detail.
    
    The attacker established a ServU FTP server running on port 61337, 
    identifying himself by the user ID xtahc. He provided the server with the 
    following banner (please pardon the anticipated line wraps):
    
    mkd 10
    mkd 11 
    ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    !¡!¡!¡!¡!¡!¡!¡!¡
    mkd 12 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [        Inf-alliance            ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 13 
    ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    !¡!¡!¡!¡!¡!¡!¡!¡
    mkd 14 !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Games ] 
    ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 15 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ Movies ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 16 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Appz ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 17 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ MP3's ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 18 
    ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    !¡!¡!¡!¡!¡!¡!¡!¡
    mkd 19 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Filled by                         ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 20 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ ©2003 Physix Productions ] 
    !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    mkd 21 
    ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
    !¡!¡!¡!¡!¡!¡!¡!¡
    mkd 22
    
    Other information identified the compromised server as belonging to the 
    OutpostFXP Pubstro community. I've been unable to learn more about that 
    community.
    
    I can dig up other information if doing so would be helpful. But, I'm 
    pretty jammed just now.
    
    Cheers,
    
    ---------------------------------------------------
    Bill McCarty
    
    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents
    



    This archive was generated by hypermail 2b30 : Mon Mar 31 2003 - 16:02:31 PST