Re: What "methods" are being used

[Gregory McCann <cambria () OWT COM>]

A little more info to add about the IIS part of the attack...

The following files were created in C:\

05/07/01  05:41a                   289 default.asp
05/07/01  05:41a                   289 default.htm
05/07/01  05:41a                   289 index.asp
05/07/01  05:41a                   289 index.htm

The same files were created in C:\InetPub and every subdirectory under C:\InetPub.

A question...  How did they automate the creation of these files in every \InetPub subdirectory?  I can't think of a 
simple command line to do that.



On 5/5/2001 at 8:33 PM Security, Network wrote:

> howdy folks, figured i'd weigh in and let everyone know what i've been
> seeing. yesterday and today have been crazy. i only assume these are
> attacks
> from chinese because of the anti-US sentiment diplayed on the defaced
> pages:
>
> "fuck USA Government
>
> fuck PoizonBOx
>
> contact:sysadmcn () yahoo com cn"
>
> anyway, it has been a flurry of unicode exploits. The thing i've found
> about
> these attacks is that even thought they are coming from all sorts of
> geographically dispersed systems, they are all default looking installs of
> solaris, with a root shell bound to port 600. My solaris rootkit knowledge
> is a bit rusty...anyone know of rootkits that bind shells to port 600? i
> also got a copy of the files on one of the hacked host. they resided in
> /dev/cuc and also seemed to store its data in /dev/cub. also grabbb is
> running. if anyone wants a copy of what i got from the attacking machine
> drop me a line and i'll tar it up for you. so i guess this was more of an
> analysis of the attacking machines rahter than the victim machines, but the
> victim machines are rather bland. Unicode exploit, copy
> C:\winnt\system32\cmd.exe to /scripts/root.exe and then do a echo into the
> homepage. pretty bland. they seem to be launching these attacks against
> anything listening on port 80...whatever happened to the script kiddie that
> _new_ what OS they were attacking? sheesh.
> ~ qarl
>
> <EOF>
> ================================================
> Karl Hill    | Computer Specialist
> 970.295.5293 | USDA Office of Cyber Security
> "...firewalls are speed bumps not brick walls."
>
> -----Original Message-----
> From: Paul Rogers [mailto:paul.rogers () MIS-CDS COM]
> Sent: Thursday, May 03, 2001 7:18 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: [INCIDENTS] What "methods" are being used
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > James Meritt wrote:
> >
> > A variety of web defacements reportedly originating with the
> > Chinese are
> > being reported.  Anyone know what method(s) are being used?
>
> If you want some useful statistics and some basic reconnaissance
> information, I personally use www.alldas.de (this is nothing to do
> with us) because they banner check and nmap the host when it is added
> to the archive. That way you can usually hazard an educated guess on
> how the page was defaced. Since the majority of boxes are running
> IIS4/5, RDS / MSADC, Unicode and MS-Sql seem to be the favourite. I
> guess as soon as a working exploit for the ISAPI Printer issue in
> IIS5 makes a rather public appearance, the defacers worldwide will be
> using that too.
>
> > Keith McCammon wrote:
> >
> > I've also been noticing a large number of anonymous FTP
> > checks in the last
> > two days.
>
> - From what we've seen - Holland has been the favourite source of scans
> for FTP recently; RPC scans typically originate from Eastern Asia and
> South America.
>
> Cheerio,
>
> Paul Rogers,
> Network Security Analyst.
>
> MIS Corporate Defence Solutions Limited
>
> Tel:           +44 (0)1622 723422 (Direct Line)
>               +44 (0)1622 723400 (Switchboard)
> Fax:           +44 (0)1622 728580
> Website:       http://www.mis-cds.com/
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
> iQA/AwUBOvFbSrnKcoQ5QY/3EQKIFACePSHNzaCDm6cvfVgFbPpRsMFMoIMAoITy
> 77CA/7pQ+FEl7nG2Wexd9yWw
> =7v/N
> -----END PGP SIGNATURE-----