Hosting Provided By

RE: New scanner?

From: Rob Shein <shoten(at)starpower.net>
Date: Mon Dec 02 2002 - 00:09:42 EST

I think what he's getting at is not the attack, but the pattern of them. He's asking if any of us have seen a tool that generates a sequence of 718 attacks of those types, in that number, in that order. He's asking about the tool to generate the attacks, not if anyone has seen the attacks themselves before :)

-----Original Message-----

From: newsletters [mailto:listserv@citadelconsulting.net] Sent: Thursday, November 21, 2002 9:11 PM To: 'Jeremy'; incidents@securityfocus.com Subject: RE: New scanner?

Jeremy,

I'm not sure if your serious or not, but this is probably the most common IIS exploit found. Wherever the destination address is located you're going to find IIS and a compromised scripts directory. The command (cmd.exe) interpreter has been renamed and copied to the c:\inetpub\scripts\root.exe and the intruder is using it to gain command line access to your system. This is basically the ultimate goal of a hacker. You need to search the system for root.exe and delete it. In addition you need to check and reset the permissions for C:\inetpub\*. At a minimum change the scripts directory to read only. Do a search on bugtraq for codered II. That should give you a more detailed action plan. My opinion would be to rebuild the box with all current patches and service packs.

Good Luck!

-----Original Message-----

From: Jeremy [mailto:prrthd25@yahoo.com] Sent: Wednesday, November 20, 2002 10:30 AM To: incidents@securityfocus.com
Subject: New scanner?

Hello all,

Do you need help?

My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following:

1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE
1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access
2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization)
6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access

This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts.

Thanks,
Jeremy

Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Dec 2 18:21:32 2002

This message: [ Message body ]
Next message: Joe Stewart: "Re: TCP:80, TCP:1433 squelda 1.0 probe"
Previous message: Matt Harris: "Re: Bad protocol version identification '^V^C^A'"
In reply to: newsletters: "RE: New scanner?"
Next in thread: Russell Fulton: "Re: New scanner?"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT