Re: IIS and leech

["Ken Schaefer" <ken () adOpenStatic com>]

a) Why do you have automatic updates enabled on a production server box?
That sounds like trouble waiting to happen.

b) Many Windows services utilise "dynamic" high order ports. The Port Mapper
service on 135 tells remote users what high order port the particular
service is using (eg if my app wanted to connect to your messenger service,
then it would find out from your port mapper service on 135 which high order
port your messenger service had been given).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
From: "randall perry" <randallp () domain-logic com>
Subject: IIS and leech


: An IIS box I manage freaked out yesterday.  I initially thought that it
: came under attack but after digging through what was left of the crime
: scene, it looks like MS is to blame.  The most recent event before the
: nightmare began was at 7pm the night was the creation of c:\program
: files\WindowsUpdate\wuaudnld.tmp\.  That tells me that an automagic
: MS Windows update is what is the root of trashing that ecommerce box
: that took all day yesterday to recover (after 2 BSODs trashing it to it to
: the point of not having network connectivity) .
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

: If that wouldn't have happened, I probably would not have found the
following:
: hum.exe which is really leech ftp server was installed on the box and
setup as service to start with the box.  I found more than 30 gig of files
(movies, MP3s)  were there under
: d:\i386\winnt[some characters]\system32\system32\ and some funny directory
names.  The movies were broken into 14meg chunks, but had sample avi files
in the directory that showed a short clip of what the movie was.
:
: I have no idea how this got planted there by who.
: (only the office manager and graphics person are the only ones to access
the box)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Lots of ways to get into a box. Ever heard of "Code Red" and "Nimda"? (just
for example). Both give the remote user command line access. Depending on
what user context you are running the WWW access under, a remote attacker
could possibly share a folder and copy some files to the server. Drop a
setup script into a "startup" folder, and viola.

Cheers
Ken


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com