Thanks to everyone for all the comments and ideas on this. After close inspection of the machine and additional examination of IDS logs, it appears that the frontpage extensions were probably just a backdoor. The initial compromise vector was most likely the nsiislog.dll vulnerability. We have begun to see other successful exploits of this attack: http://securityfocus.com/bid/8035 It would appear that remote exploits for this are now circulating in the wild. I've done my best to recover the attack from the IDS log and assuming it's been converted correctly, I've made it available online: http://net-services.ufl.edu/~jwiens/exploit.raw I believe that to be the complete attack, but since it went through some mangling by both the IDS and my attempts to convert it back from the IDS format into something more useful, I make no guarantees that it is intact, useful, or correct. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 2 Jul 2003, Jordan Wiens wrote: > We had a recent compromise that our IDS did not detect, however, it did > detect subsequent backdoor activity and a few other packets afterwards > that alerted us to the compromise. Upon closer investigation of the > activity, some of the additional information logged showed some frontpage > extensions being used in an interesting way. Anyone else seen this? > > Since we were unable to determine the initial compromise method, I'm > trying to figure out if this was purely used as a backdoor, or might also > have been the same method as the initial compromise. > > Some additional background info; the svchost.exe is a renamed servu ftp > daemon process that was loaded into the server along with a few other, > 'normal' backdoor tools. > > ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 09:59:58 PDT