Security Incidents mailing list archives

Re: [incident] IIS defacement through FTP, possible DoS

From: Muhammad Faisal Rauf Danka <mfrd () attitudex com>
Date: Wed, 5 Jun 2002 14:07:43 -0700 (PDT)

Logs indicate that you have been scanned for anonymous access / pun writable directories.

As far as how did you got defaced is concerned
There are many windows vulnerabilities which could've been used to compromise your box. If only one website has been 
defaced, It doesnt mean only that customer's FTP password was leaked/compromised.
It could be just your box, OpenShares / MS-SQL / ISS vulnerabilities etc.

I sugged you propery conduct a post security analysis (forensic analysis), and then find if your box as whole was 
compromised or not, and remember If your box was compromised then it's not necessary that the intruder will let his 
ip's be in the logs for anyone to see. He could've zeroed them.

Unless you had some IDS on Network, or atleast at the box itself to prompt you as soon as it finds something fishy, 
there is no way you can really trust the authenticity of logs.

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Iain Craig" <i.craig () gael net> wrote:

Hi all,

Was wondering if anyone is aware of an IIS FTP server exploit that allows a=
n attacker the read/write access of a single given legimate user's folders =
and also zeroes the log file?

I've just seen this behaviour on a box running Win2K Advanced Server SP2 an=
d IIS 5.

The box hosts many websites, one of which was defaced; looking at the web l=
ogs I see no suspicious activity at all (no POST attempts even - the site's=
fairly simple and doesn't need POST at all - also no FrontPage). Checking =
the FTP logs, which is the site's owner's only way in, I see the log for wh=
en the attack happened (on hourly rotation) is precisely 64Kb of 00h.

Is this "just" a cunning FTP server exploit or, given the nature of the log=
file, should I be concerned that a higher level of access to the box has be=
en acheived?

In logs for the days prior to the compromise I see connections to the FTP s=
erver that are certainly odd but don't match a brute force attack fingerpri=
nt:

<snip>
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.=
THE.BOX 21 [27]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.=
THE.BOX 21 [28]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.=
THE.BOX 21 [29]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 anonymous () ftp microsoft com MSFTPSVC1 BOXNAME IP.OF.=
THE.BOX 21 [30]USER anonymous () ftp microsoft com - 331 0 0 0 0 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - - 530=
1326 0 0 235 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - - 530=
1326 0 0 219 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - - 530=
1326 0 0 219 FTP - - - -
<snip>

There was a LOT of those, all very fast like a DoS attempt. Other usernames=
I was seeing in a similar DoS fashion from the same time and IP were Ogpus=
er () home com, Kgpuser () home com, and Lgpuser () home com

Anyone know of a kiddie tool that uses these names?

Incidentally, from the WHOIS on that IP:

inetnum:      81.64.0.0 - 81.67.255.255
netname:      FR-CYBERCABLE-20020103
descr:        LYONNAISE COMMUNICATIONS
            PROVIDER Local Registry
country:      FR
admin-c:      LC220-RIPE
tech-c:       LC224-RIPE
status:       ALLOCATED PA
mnt-by:       RIPE-NCC-HM-MNT
mnt-lower:    AS6678-MNT
mnt-routes:   AS6678-MNT
changed:      hostmaster () ripe net 20020103
changed:      hostmaster () ripe net 20020108
source:       RIPE

That's not the only IP these DoS-ish requests came from; going through the =
others now. Wondering if I'm dealing with two seperate incidents here, the =
defacement and a seperate DoS or DDoS.

Any advice or guidance appreciated.

Best regards,
Iain C

--=20
Iain Craig

--=20
Iain Craig - Systems Administrator



_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email () yourgroup org by Everyone.net  
http://www.everyone.net/?btn=tag

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

[incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Jean-Luc (Jun 05)
- <Possible follow-ups>
- Re: [incident] IIS defacement through FTP, possible DoS Matthew . Brown (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Michael Katz (Jun 05)
- Re: [incident] IIS defacement through FTP, possible DoS Muhammad Faisal Rauf Danka (Jun 05)
- RE: [incident] IIS defacement through FTP, possible DoS Iain Craig (Jun 06)
  - Re: [incident] IIS defacement through FTP, possible DoS Patrick Andry (Jun 06)