Educause Security Discussion mailing list archives
Re: Chinese dot-dot-slash attack on Windows 2000/IIS
From: Curt Wilson <curtw () SIU EDU>
Date: Tue, 16 Sep 2008 17:37:57 -0500
Andrew Daviel wrote:
(previously posted to UNISOG) We had some guy coming in from Guangdong over Windows Terminal Server, with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a trojan server, but the server binary looks legit and the string was in incoming traffic, so maybe he's got a password but was using some funny client. Then we found some highly suspicious HTTP traffic: GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1 GET /homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList HTTP/1.1 href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'> Googling for infoAboutSrv turns up what look like hacked Chinese sites "by Markos" - various javascript pages with Chinese language text.
<snip> Andrew, Did these queries return 404's and you are just notifying us that this is an attack technique in use, or did the server actually get compromised and responded to these HTTP queries as expected by the attacker? Is open.asp something that you think attackers are uploading themselves to compromised servers (my guess) or part of some pre-existing package? some further data about badware domains to block: http://www.google.com/safebrowsing/diagnostic?site=http://user.edude.net/cb/books/news_libshow.asp%3Fid%3D4944 relevant details from this particular compromise: "Malicious software includes 172 scripting exploit(s), 73 trojan(s), 25 exploit(s). Successful infection resulted in an average of 16 new processes on the target machine. Malicious software is hosted on 42 domain(s), including edude.net, nicelick.cn, fivecq.cn. 16 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including 210.53.203.0, edude.net, dxp004.cn. Has this site acted as an intermediary resulting in further distribution of malware? Over the past 90 days, user.edude.net/ appeared to function as an intermediary for the infection of 3 site(s) including bcsz.com.cn, www1.edude.net, cb.edude.net. Has this site hosted malware? Yes, this site has hosted malicious software over the past 90 days. It infected 7 domain(s), including edude.net, bcsz.com.cn, cb.edude.net." -- Curt Wilson SIUC IT Security Officer & Security Engineer
Current thread:
- Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 11)
- <Possible follow-ups>
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Justin Azoff (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Curt Wilson (Sep 16)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Jeni Li (Sep 26)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Delaney, Cherry L. (Sep 27)