Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: New scanner?

From: "newsletters" <listserv () citadelconsulting net>
Date: Mon, 25 Nov 2002 11:27:23 -0500


To keydet89,

The text following this message is from Jeremy and shows ACCESS to
cmd.exe and root.exe as well as the presence of Unicode2.pl. Root.exe is
just cmd.exe renamed and if there are 685 instances of access to cmd.exe
on the network, my belief would be that THEY HAVE BEEN COMPROMISED. I'm
failing to see what additional proof is needed?! But, if you don't want
to take my word for it, they could just wait and see how long it takes
for additional systems to become compromised. I didn't say which box was
compromised, however it is more than likely an IIS server because
CODERED takes advantage of vulnerabilities in IIS (Unicode directory
traversal vulnerability I believe). In addition, unicode2.pl is a Perl
script used to propagate CODERED.

3 instances of WEB-IIS Unicode2.pl script (File
permission canonicalization) 
6 instances of POLICY FTP anonymous login attempt 
17 instances of WEB-IIS CodeRed v2 root.exe access 
685 instances of WEB-IIS cmd.exe access

CB

-----Original Message-----
From: H C [mailto:keydet89 () yahoo com] 
Sent: Monday, November 25, 2002 9:19 AM
To: security-basics () securityfocus com
Subject: RE: New scanner?

A couple of things...

First off, it's good that snort is running to catch
these things.

To CB...
"My opinion would be to rebuild the box with all
current patches and service packs."

Why?  Just b/c snort picked up the signatures, doesn't
mean that the box was actually compromised...does it? 
After all, the snort signatures are specific enough to
pick up the inbound signatures, but nothing from
Jeremy shows what the response codes from IIS are...do
they?  Jeremy didn't mention anything about the
server's responses, nor did he post the web logs.  In
fact, Jeremy never actually said which web server (if
any) he's running!

The assumption is that Jeremy is running IIS...and
this may actually be the case.  However, Jeremy's post
has only the snort signature titles, and nothing else.
 

What this shows is that there is still a propensity to
make assumptions, not only regarding posts such as
Jeremy's, but in incident response investigations, as well.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com
Previous By Date Next
Previous By Thread Next

Current thread: