Hosting Provided By

RE: New scanner?

From: newsletters <listserv(at)citadelconsulting.net>
Date: Thu Nov 21 2002 - 21:10:41 EST

Jeremy,

I'm not sure if your serious or not, but this is probably the most common IIS exploit found. Wherever the destination address is located you're going to find IIS and a compromised scripts directory. The command (cmd.exe) interpreter has been renamed and copied to the c:\inetpub\scripts\root.exe and the intruder is using it to gain command line access to your system. This is basically the ultimate goal of a hacker. You need to search the system for root.exe and delete it. In addition you need to check and reset the permissions for C:\inetpub\*. At a minimum change the scripts directory to read only. Do a search on bugtraq for codered II. That should give you a more detailed action plan. My opinion would be to rebuild the box with all current patches and service packs.

Good Luck!

-----Original Message-----

From: Jeremy [mailto:prrthd25@yahoo.com] Sent: Wednesday, November 20, 2002 10:30 AM To: incidents@securityfocus.com
Subject: New scanner?

Hello all,

My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following:

1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE
1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access
2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization)
6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access

Do you need help?

This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts.

Thanks,
Jeremy

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sat Nov 23 01:53:53 2002

This message: [ Message body ]
Next message: Emeric Miszti: "Re: Proxy server hit... Any ideas?"
Previous message: Esler, Joel -- Sytex Contractor: "increased attacks on port 2599"
In reply to: Jeremy: "New scanner?"
Next in thread: Jason Frey: "RE: New scanner?"
Reply: Jason Frey: "RE: New scanner?"
Reply: Rob Shein: "RE: New scanner?"
Reply: Russell Fulton: "Re: New scanner?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:51 EDT