Re: frontpage extensions; backdoor or initial compromise?

From: Jordan Wiens (jwiensat_private)
Date: Tue Jul 08 2003 - 09:20:24 PDT

Next message: glenn.blairat_private: "Re: Administrivia..."

Previous message: Christopher Kunz: "Re: Strange DoS / new halflife server bug? (1st update:worm?)"
In reply to: Jordan Wiens: "frontpage extensions; backdoor or initial compromise?"
Next in thread: Gustavo Kruel: "Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Thanks to everyone for all the comments and ideas on this.  After close
inspection of the machine and additional examination of IDS logs, it
appears that the frontpage extensions were probably just a backdoor.

The initial compromise vector was most likely the nsiislog.dll
vulnerability.  We have begun to see other successful exploits of this
attack:

http://securityfocus.com/bid/8035

It would appear that remote exploits for this are now circulating in the
wild.  I've done my best to recover the attack from the IDS log and
assuming it's been converted correctly, I've made it available online:

http://net-services.ufl.edu/~jwiens/exploit.raw

I believe that to be the complete attack, but since it went through some
mangling by both the IDS and my attempts to convert it back from the IDS
format into something more useful, I make no guarantees that it is intact,
useful, or correct.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Wed, 2 Jul 2003, Jordan Wiens wrote:

> We had a recent compromise that our IDS did not detect, however, it did
> detect subsequent backdoor activity and a few other packets afterwards
> that alerted us to the compromise.  Upon closer investigation of the
> activity, some of the additional information logged showed some frontpage
> extensions being used in an interesting way.  Anyone else seen this?
>
> Since we were unable to determine the initial compromise method, I'm
> trying to figure out if this was purely used as a backdoor, or might also
> have been the same method as the initial compromise.
>
> Some additional background info; the svchost.exe is a renamed servu ftp
> daemon process that was loaded into the server along with a few other,
> 'normal' backdoor tools.
>
>

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: glenn.blairat_private: "Re: Administrivia..."
Previous message: Christopher Kunz: "Re: Strange DoS / new halflife server bug? (1st update:worm?)"
In reply to: Jordan Wiens: "frontpage extensions; backdoor or initial compromise?"
Next in thread: Gustavo Kruel: "Cisco IOS vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 09:59:58 PDT