[incident] IIS defacement through FTP, possible DoS

["Iain Craig" <i.craig () gael net>]

Hi all,

Was wondering if anyone is aware of an IIS FTP server exploit that allows an attacker the read/write access of a single 
given legimate user's folders and also zeroes the log file?

I've just seen this behaviour on a box running Win2K Advanced Server SP2 and IIS 5.

The box hosts many websites, one of which was defaced; looking at the web logs I see no suspicious activity at all (no 
POST attempts even - the site's fairly simple and doesn't need POST at all - also no FrontPage). Checking the FTP logs, 
which is the site's owner's only way in, I see the log for when the attack happened (on hourly rotation) is precisely 
64Kb of 00h.

Is this "just" a cunning FTP server exploit or, given the nature of the logfile, should I be concerned that a higher 
level of access to the box has been acheived?

In logs for the days prior to the compromise I see connections to the FTP server that are certainly odd but don't match 
a brute force attack fingerprint:

<snip>
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [27]USER anonymous () ftp 
microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [28]USER anonymous () ftp 
microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [29]USER anonymous () ftp 
microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [30]USER anonymous () ftp 
microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - - 530 1326 0 0 235 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - - 530 1326 0 0 219 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - - 530 1326 0 0 219 FTP - - - -
<snip>

There was a LOT of those, all very fast like a DoS attempt. Other usernames I was seeing in a similar DoS fashion from 
the same time and IP were Ogpuser () home com, Kgpuser () home com, and Lgpuser () home com

Anyone know of a kiddie tool that uses these names?

Incidentally, from the WHOIS on that IP:

inetnum:      81.64.0.0 - 81.67.255.255
netname:      FR-CYBERCABLE-20020103
descr:        LYONNAISE COMMUNICATIONS
              PROVIDER Local Registry
country:      FR
admin-c:      LC220-RIPE
tech-c:       LC224-RIPE
status:       ALLOCATED PA
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    AS6678-MNT
mnt-routes:   AS6678-MNT
changed:      hostmaster () ripe net 20020103
changed:      hostmaster () ripe net 20020108
source:       RIPE

That's not the only IP these DoS-ish requests came from; going through the others now. Wondering if I'm dealing with 
two seperate incidents here, the defacement and a seperate DoS or DDoS.

Any advice or guidance appreciated.

Best regards,
Iain C

-- 
Iain Craig

-- 
Iain Craig - Systems Administrator

Gael.net Ltd - Web Developers & Internet Consultants
Telematic Centre,
Broom Place,
Dunvegan Road,
Portree,
Isle of Skye
Scotland
IV51 9HL

t: +44 (0)1478 613 300
f: +44 (0)1478 614 929
e: i.craig () gael net
w: www.gael.net

Need "Instant Web Publishing"? Try www.sitekit.net
Need "Instant E-commerce"? Try www.shopkit.net
Need effective e-marketing services? Try www.promokit.net

The 2001 Highland & Islands Business Awards - Technology Award Winner

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com