Crackers Targeting Web JetAdmin 6.5 Vulnerability

[Brian Eckman <eckman () umn edu>]

We had a computer on campus that was broken into yesterday
via a vulnerability in HP Web JetAdmin 6.5 (default port of 8000/tcp).
The specific vulnerability is referenced at the following URL:

http://www.securitytracker.com/alerts/2004/Apr/1009960.html

There is a link in that advisory to the exploit code that appears to
have been used in our incident. The vulnerability was exploited to write 
a x.txt file to the root of the C: drive, and then call the Windows 
command line ftp program to execute the commands listed in the x.txt 
file. That downloaded the backdoor kit, which they then apparently 
executed via the same Web JetAdmin flaw.

The backdoor kit that was downloaded was just under 1MB, and when run,
extracts several files to C:\recycler, including nc.exe (netcat),
win.exe (ServU and apparently an IRC bot), the ServU configuration files
and such. Some time afterward, r_admin was downloaded and installed to
listen on 4899/tcp.

In this case, the x.txt file and the kit (flash.exe) were left in the
root of the C: drive, they had nc.exe (netcat) binding cmd.exe to
3112/tcp, had ServU FTP server listening on 1986/tcp, and had r_admin
listening on port 4899/tcp. The FTP Server and R_admin were services
that were listed in the control panel's Services applet (the win.exe was
listed as "Serv-U FTP Server", the r_admin was "Remote Administrator 
Service").

In the next hour of infection, our infected host appears to have
downloaded several other 1 MB files from various locations, apparently
as part of a speed test (there was a speed test results file found). 
Also, the cmd.exe backdoor on port 3112/tcp was accessed one time early 
in the exploitation, but does not seem to play a key role.

Upgrading to version 7.5 of Web JetAdmin reportedly fixes the flaw that
was exploited. The home page for this product is:
http://h10010.www1.hp.com/wwpc-JAVA/offweb/vac/us/en/en/network_software/wja_overview.html

The machine had up-to-date AntiVirus software on it. The attacker did 
run a script that tries to stop several different AntiVirus services by 
their name. (I will not confirm nor deny the script worked.) I will say 
that there did not appear to be any malware on the system that an 
AntiVirus product should detect.  All of the backdoors placed on it were 
tools that can be used for good or for harm.

Anyway, I thought I would share this information. It's important to
remember that not only the high-profile stuff like MS04-011 is being
exploited. Any low-hanging fruit is game.

Brian
--
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota



---------------------------------------------------------------------------
----------------------------------------------------------------------------