Security Incidents mailing list archives
IIS Exploit...
From: Chris Hobbs <chobbs () SILVERVALLEY K12 CA US>
Date: Tue, 8 May 2001 16:51:48 -0700
Well, not too much info here - regrettably my snort rules file got zeroed out when whitehats.com changed their format. So, all I have is my IIS logs - however, it's pretty straightforward what happened: 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200 19:00:57 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 200 19:01:02 210.45.192.25 GET /scripts/../../winnt/system32/cmd.exe 502 19:01:06 210.45.192.25 GET /scripts/root.exe 502 19:01:10 210.45.192.25 GET /scripts/root.exe 502 19:01:14 210.45.192.25 GET /scripts/root.exe 502 19:01:14 210.45.192.25 GET /scripts/root.exe 502 That goes on for quite some time - it ended up creating several files in every directory on the website - index.asp, index.htm, default.asp, and default.htm. IP address resolves to a university in China, so I suspect the odds of getting assistance are about nil. Moral of the story: I upgraded to SP6A on this NT4 box 10 days ago. Running IIS 4.0 still. I assumed that SP's applied patches to the web server as well as the OS - either this isn't the case, or something new developed in those last 10 days. Conveniently, I had already setup a Linux box to replace this IIS server, and had copied over the entire site just two days prior to the attack. I _will_ be keeping better track of Apache and php exploits, since I really don't want this to happen again :) -- Chris Hobbs Silver Valley Unified School District Head geek: Technology Services Coordinator webmaster: http://www.silvervalley.k12.ca.us/chobbs/ postmaster: chobbs () silvervalley k12 ca us
Current thread:
- IIS Exploit... Chris Hobbs (May 08)
- Re: IIS Exploit... Hugo van der Kooij (May 08)
- Re: IIS Exploit... Bob Johnson (May 10)
- Re: IIS Exploit... Brian Caswell (May 10)
- <Possible follow-ups>
- Re: IIS Exploit... Schmidt, Mike (May 10)