Re: pimpshiz / put i.txt

["Larimer, Jon (ISSAtlanta)" <JLarimer () ISS NET>]

You probably have write access enabled to the root directory of your server.
This is bad. To see if you do, try:

computer:~$ nc machine_to_test 80
PUT /dingding HTTP/1.1
Host: 127.0.0.1
Content-type: text/plain
Content-length: 4

asdf <hit enter a couple times>

If you get a HTTP 201 or 200 return code, the upload was successful and you
will now have a "dingding" file on your server. If that happens, you should
fix it. Check the "Home Directory" tab in your web site properties dialog
and check to see that Write access is not enabled. You should make sure
IUSR_WHATEVER doesn't have write access to the web documents directory
(inetpub\wwwroot)... if they do, and IIS has writing enabled, someone could
cause a bunch of problems for you. I would guess that pimpshiz has a script
that scans the net looking for servers that are vulnerable to this problem.
IIS is not vulnerable by default.

-jon

=====================================================================
Jon Larimer                         |     Direct Dial: (678) 443-6159
Systems Engineer / ISS X-Force Team |  ISS Front Desk: (678) 443-6000
Internet Security Systems, Inc.     |         ISS Fax: (678) 443-6477
=====================================================================



> -----Original Message-----
> From: Rewt, Kit [mailto:rewtkits () HUSHMAIL COM]
> Sent: Wednesday, October 04, 2000 6:26 PM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: pimpshiz / put i.txt
>
>
> I was wondering if anyone on the list has had their website
> hit by the notorious
> '_pimpshiz_'.
>
> Here are some logs from the 'penetrated' webserver.
>
>  23:55:35 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx HEAD
> /i.txt - 404
> 2 143 136 10 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - -
>
>  23:55:37 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET
> /index.asp -
> 200 0 17258 130 1833 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - -
>
>  23:55:39 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx PUT
> /i.txt - 201
> 0 276 218 300 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 -
>  23:55:45 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET
> /i.txt - 200
> 0 264 339 360 80 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
> -
>  23:55:51 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET
> /index.asp -
> 200 0 17488 334 1662 80 HTTP/1.1
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt)
> -
>  23:55:54 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET
> /graphics/tab_athome.off.gif
> - 200 0 492 266 420 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;
>
> We are running the latest version of iis.
>
>
> Sorry for the lack of details on the actual web server , I
> will provide
> more info in the next few days.
> I basically wanted to post the logs of the attack to see if
> anyone has seen
> this type of pattern ( eg. looking for the i.txt file, then
> putting it on
> the webserver etc..)
>
> Any feedback would definately help out , and once again I
> will post more
> info regarding this.
>
>
> Thanks,
>
> -rewtkits