Security Incidents mailing list archives
[incident] IIS defacement through FTP, possible DoS
From: "Iain Craig" <i.craig () gael net>
Date: Wed, 5 Jun 2002 09:40:13 +0100
Hi all, Was wondering if anyone is aware of an IIS FTP server exploit that allows an attacker the read/write access of a single given legimate user's folders and also zeroes the log file? I've just seen this behaviour on a box running Win2K Advanced Server SP2 and IIS 5. The box hosts many websites, one of which was defaced; looking at the web logs I see no suspicious activity at all (no POST attempts even - the site's fairly simple and doesn't need POST at all - also no FrontPage). Checking the FTP logs, which is the site's owner's only way in, I see the log for when the attack happened (on hourly rotation) is precisely 64Kb of 00h. Is this "just" a cunning FTP server exploit or, given the nature of the logfile, should I be concerned that a higher level of access to the box has been acheived? In logs for the days prior to the compromise I see connections to the FTP server that are certainly odd but don't match a brute force attack fingerprint: <snip> 02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [27]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [28]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [29]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [30]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - - 530 1326 0 0 235 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - - 530 1326 0 0 219 FTP - - - - 02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - - 530 1326 0 0 219 FTP - - - - <snip> There was a LOT of those, all very fast like a DoS attempt. Other usernames I was seeing in a similar DoS fashion from the same time and IP were Ogpuser () home com, Kgpuser () home com, and Lgpuser () home com Anyone know of a kiddie tool that uses these names? Incidentally, from the WHOIS on that IP: inetnum: 81.64.0.0 - 81.67.255.255 netname: FR-CYBERCABLE-20020103 descr: LYONNAISE COMMUNICATIONS PROVIDER Local Registry country: FR admin-c: LC220-RIPE tech-c: LC224-RIPE status: ALLOCATED PA mnt-by: RIPE-NCC-HM-MNT mnt-lower: AS6678-MNT mnt-routes: AS6678-MNT changed: hostmaster () ripe net 20020103 changed: hostmaster () ripe net 20020108 source: RIPE That's not the only IP these DoS-ish requests came from; going through the others now. Wondering if I'm dealing with two seperate incidents here, the defacement and a seperate DoS or DDoS. Any advice or guidance appreciated. Best regards, Iain C -- Iain Craig -- Iain Craig - Systems Administrator Gael.net Ltd - Web Developers & Internet Consultants Telematic Centre, Broom Place, Dunvegan Road, Portree, Isle of Skye Scotland IV51 9HL t: +44 (0)1478 613 300 f: +44 (0)1478 614 929 e: i.craig () gael net w: www.gael.net Need "Instant Web Publishing"? Try www.sitekit.net Need "Instant E-commerce"? Try www.shopkit.net Need effective e-marketing services? Try www.promokit.net The 2001 Highland & Islands Business Awards - Technology Award Winner ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- [incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Jean-Luc (Jun 05)
- <Possible follow-ups>
- Re: [incident] IIS defacement through FTP, possible DoS Matthew . Brown (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Michael Katz (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Muhammad Faisal Rauf Danka (Jun 05)
- RE: [incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 06)
- Re: [incident] IIS defacement through FTP, possible DoS Patrick Andry (Jun 06)