Security Incidents mailing list archives
Re: pimpshiz / put i.txt
From: "Larimer, Jon (ISSAtlanta)" <JLarimer () ISS NET>
Date: Thu, 5 Oct 2000 12:33:58 -0400
You probably have write access enabled to the root directory of your server. This is bad. To see if you do, try: computer:~$ nc machine_to_test 80 PUT /dingding HTTP/1.1 Host: 127.0.0.1 Content-type: text/plain Content-length: 4 asdf <hit enter a couple times> If you get a HTTP 201 or 200 return code, the upload was successful and you will now have a "dingding" file on your server. If that happens, you should fix it. Check the "Home Directory" tab in your web site properties dialog and check to see that Write access is not enabled. You should make sure IUSR_WHATEVER doesn't have write access to the web documents directory (inetpub\wwwroot)... if they do, and IIS has writing enabled, someone could cause a bunch of problems for you. I would guess that pimpshiz has a script that scans the net looking for servers that are vulnerable to this problem. IIS is not vulnerable by default. -jon ===================================================================== Jon Larimer | Direct Dial: (678) 443-6159 Systems Engineer / ISS X-Force Team | ISS Front Desk: (678) 443-6000 Internet Security Systems, Inc. | ISS Fax: (678) 443-6477 =====================================================================
-----Original Message----- From: Rewt, Kit [mailto:rewtkits () HUSHMAIL COM] Sent: Wednesday, October 04, 2000 6:26 PM To: INCIDENTS () SECURITYFOCUS COM Subject: pimpshiz / put i.txt I was wondering if anyone on the list has had their website hit by the notorious '_pimpshiz_'. Here are some logs from the 'penetrated' webserver. 23:55:35 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx HEAD /i.txt - 404 2 143 136 10 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - - 23:55:37 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /index.asp - 200 0 17258 130 1833 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - - 23:55:39 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx PUT /i.txt - 201 0 276 218 300 80 HTTP/1.0 NaviPress/2.0+AOLpress/2.0 - 23:55:45 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /i.txt - 200 0 264 339 360 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt) - 23:55:51 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /index.asp - 200 0 17488 334 1662 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt) - 23:55:54 xxx.xxx.xx.xx - W3SVC37 WEB371 xxx.xxx.xx.xx GET /graphics/tab_athome.off.gif - 200 0 492 266 420 80 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+5.0; We are running the latest version of iis. Sorry for the lack of details on the actual web server , I will provide more info in the next few days. I basically wanted to post the logs of the attack to see if anyone has seen this type of pattern ( eg. looking for the i.txt file, then putting it on the webserver etc..) Any feedback would definately help out , and once again I will post more info regarding this. Thanks, -rewtkits
Current thread:
- pimpshiz / put i.txt Rewt, Kit (Oct 04)
- Re: pimpshiz / put i.txt Jonathan Rickman (Oct 04)
- <Possible follow-ups>
- Re: pimpshiz / put i.txt Steve (Oct 05)
- Re: pimpshiz / put i.txt Larimer, Jon (ISSAtlanta) (Oct 05)
- Re: pimpshiz / put i.txt Tony Turk (Oct 06)
- Re: pimpshiz / put i.txt Jason Witty (Oct 06)
- Re: pimpshiz / put i.txt Steve (Oct 10)
- Re: pimpshiz / put i.txt Jason Witty (Oct 06)
- Re: pimpshiz / put i.txt Cashdollar, Larry (Oct 10)
- Re: pimpshiz / put i.txt Abe Getchell (Oct 11)