Educause Security Discussion mailing list archives

Re: Chinese dot-dot-slash attack on Windows 2000/IIS

From: Curt Wilson <curtw () SIU EDU>
Date: Tue, 16 Sep 2008 17:37:57 -0500

Andrew Daviel wrote:

(previously posted to UNISOG)

We had some guy coming in from Guangdong over Windows Terminal Server,
with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a
trojan server, but the server binary looks legit and the string was in
incoming traffic, so maybe he's got a password but was using some funny
client. Then we found some highly suspicious HTTP traffic:



GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1
GET
/homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList
HTTP/1.1
href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'>


Googling for infoAboutSrv turns up what look like hacked Chinese sites
"by Markos" - various javascript pages with Chinese language text.

<snip>

Andrew,

Did these queries return 404's and you are just notifying us that this
is an attack technique in use, or did the server actually get
compromised and responded to these HTTP queries as expected by the attacker?

Is open.asp something that you think attackers are uploading themselves
to compromised servers (my guess) or part of some pre-existing package?

some further data about badware domains to block:

http://www.google.com/safebrowsing/diagnostic?site=http://user.edude.net/cb/books/news_libshow.asp%3Fid%3D4944

relevant details from this particular compromise:

"Malicious software includes 172 scripting exploit(s), 73 trojan(s), 25
exploit(s). Successful infection resulted in an average of 16 new
processes on the target machine.

Malicious software is hosted on 42 domain(s), including edude.net,
nicelick.cn, fivecq.cn.

16 domain(s) appear to be functioning as intermediaries for distributing
malware to visitors of this site, including 210.53.203.0, edude.net,
dxp004.cn.

Has this site acted as an intermediary resulting in further distribution
of malware?

Over the past 90 days, user.edude.net/ appeared to function as an
intermediary for the infection of 3 site(s) including bcsz.com.cn,
www1.edude.net, cb.edude.net.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It
infected 7 domain(s), including edude.net, bcsz.com.cn, cb.edude.net."


--
Curt Wilson
SIUC IT Security Officer & Security Engineer

Current thread:

Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 11)
- <Possible follow-ups>
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Justin Azoff (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Curt Wilson (Sep 16)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Jeni Li (Sep 26)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Delaney, Cherry L. (Sep 27)