Security Incidents mailing list archives
Crackers Targeting Web JetAdmin 6.5 Vulnerability
From: Brian Eckman <eckman () umn edu>
Date: Fri, 14 May 2004 13:22:25 -0500
We had a computer on campus that was broken into yesterday via a vulnerability in HP Web JetAdmin 6.5 (default port of 8000/tcp). The specific vulnerability is referenced at the following URL: http://www.securitytracker.com/alerts/2004/Apr/1009960.html There is a link in that advisory to the exploit code that appears tohave been used in our incident. The vulnerability was exploited to write a x.txt file to the root of the C: drive, and then call the Windows command line ftp program to execute the commands listed in the x.txt file. That downloaded the backdoor kit, which they then apparently executed via the same Web JetAdmin flaw.
The backdoor kit that was downloaded was just under 1MB, and when run, extracts several files to C:\recycler, including nc.exe (netcat), win.exe (ServU and apparently an IRC bot), the ServU configuration files and such. Some time afterward, r_admin was downloaded and installed to listen on 4899/tcp. In this case, the x.txt file and the kit (flash.exe) were left in the root of the C: drive, they had nc.exe (netcat) binding cmd.exe to 3112/tcp, had ServU FTP server listening on 1986/tcp, and had r_admin listening on port 4899/tcp. The FTP Server and R_admin were services that were listed in the control panel's Services applet (the win.exe waslisted as "Serv-U FTP Server", the r_admin was "Remote Administrator Service").
In the next hour of infection, our infected host appears to have downloaded several other 1 MB files from various locations, apparentlyas part of a speed test (there was a speed test results file found). Also, the cmd.exe backdoor on port 3112/tcp was accessed one time early in the exploitation, but does not seem to play a key role.
Upgrading to version 7.5 of Web JetAdmin reportedly fixes the flaw that was exploited. The home page for this product is: http://h10010.www1.hp.com/wwpc-JAVA/offweb/vac/us/en/en/network_software/wja_overview.htmlThe machine had up-to-date AntiVirus software on it. The attacker did run a script that tries to stop several different AntiVirus services by their name. (I will not confirm nor deny the script worked.) I will say that there did not appear to be any malware on the system that an AntiVirus product should detect. All of the backdoors placed on it were tools that can be used for good or for harm.
Anyway, I thought I would share this information. It's important to remember that not only the high-profile stuff like MS04-011 is being exploited. Any low-hanging fruit is game. Brian -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Crackers Targeting Web JetAdmin 6.5 Vulnerability Brian Eckman (May 14)
- Re: Crackers Targeting Web JetAdmin 6.5 Vulnerability Andrew Smith (May 17)