RE: Identify Method

["Keith.Morgan" <Keith.Morgan () Terradon com>]

Our honeypot was compromised this weekend following the exact same activity.
I haven't taken the time yet to do a forensic analysis of the box, and may
not bother.  I do know that the breach was via buffer overflows in wu-ftpd
(unpatched).  More detailed info may follow.

Keith T. Morgan
Chief of Information Security
Terradon Communications
keith.morgan () terradon com
304-755-8291 x142


> -----Original Message-----
> From: Ingersoll, Jared [mailto:JIngersoll () cswv com]
> Sent: Wednesday, May 30, 2001 8:18 AM
> To: 'CL: Nelson, Jeff'; 'FOCUS-MS () SECURITYFOCUS COM'
> Cc: incidents () securityfocus com
> Subject: RE: Identify Method
>
>
> Jeff,
>
> I found the same attempt was made on some of our systems. I 
> first noticed a
> scan
> in our firewall logs last Tuesday or Wednesday (5/22-5/23). After ftp
> service was detected, a login attempt was made by anonymous 
> with password
> guest () here com. We have no need for anonymous login and our 
> servers are
> patched up to the latest security patch, so I didn't worry, 
> just made note.
> I just assumed it was someone looking for anonymous ftp 
> servers. However,
> given your information below, I beginning to suspect that it may be
> something more malicious. Perhaps it is just a program 
> looking for anonymous
> ftp, but why try and created an *.asp file? Anyone else have 
> some input?
>
> Jared
> -----Original Message-----
> From: CL: Nelson, Jeff [mailto:JNelson () cmccontrols com]
> Sent: Tuesday, May 29, 2001 10:28 AM
> To: 'FOCUS-MS () SECURITYFOCUS COM'
> Subject: Identify Method
>
>
> Good day,
>
> Time to admit complete ignorance here. Some person created several
> directories in _vti_pvt. I've tried to replicate what I have 
> in my IIS logs
> to no avail. Here is what I see:
>
> USER  anonymous       331
> PASS  anonymous () on the net 230
> MKD   /_vti_pvt/+.+tagged+4+SWAA      257
> QUIT  -       257
>
> Then another 14 minutes later:
>
> USER anonymous 331
> PASS guest () here com 230
> created /1kbtest.ptf 250
> DELE /1kbtest 250
> created /space.asp 226
> DELE /space.asp 250
>
> First, what is going on? How were they able to do this? When 
> I try I get an
> error stating path cannot be found.
>
> Second, (and I think I've asked this before) is there a 
> resource that goes
> in-depth to what is taking place? Most of the material I have 
> is for Unix
> systems, not IIS.
>
> Regards,
>
> Jeff
>
> Jeffrey L. Nelson
> Network Manager; Cleveland Motion Controls
> jnelson () cmccontrols com; 216-642-5147
> ----
> "The musical notes are only five in number but their melodies, are so
> numerous that one cannot visualize them all."   -- Sun Tzu