Security Incidents mailing list archives

RE: New scanner?


From: "Rob Shein" <shoten () starpower net>
Date: Mon, 2 Dec 2002 00:09:42 -0500

I think what he's getting at is not the attack, but the pattern of them.
He's asking if any of us have seen a tool that generates a sequence of
718 attacks of those types, in that number, in that order.  He's asking
about the tool to generate the attacks, not if anyone has seen the
attacks themselves before :)

-----Original Message-----
From: newsletters [mailto:listserv () citadelconsulting net] 
Sent: Thursday, November 21, 2002 9:11 PM
To: 'Jeremy'; incidents () securityfocus com
Subject: RE: New scanner?


Jeremy,

I'm not sure if your serious or not, but this is probably the most
common IIS exploit found. Wherever the destination address is located
you're going to find IIS and a compromised scripts directory. The
command (cmd.exe) interpreter has been renamed and copied to the
c:\inetpub\scripts\root.exe and the intruder is using it to gain command
line access to your system. This is basically the ultimate goal of a
hacker. You need to search the system for root.exe and delete it. In
addition you need to check and reset the permissions for C:\inetpub\*.
At a minimum change the scripts directory to read only. Do a search on
bugtraq for codered II. That should give you a more detailed action
plan. My opinion would be to rebuild the box with all current patches
and service packs. 

Good Luck!

CB

-----Original Message-----
From: Jeremy [mailto:prrthd25 () yahoo com] 
Sent: Wednesday, November 20, 2002 10:30 AM
To: incidents () securityfocus com
Subject: New scanner?

Hello all,

  My snort box picked this up yesterday fron two
different source ip's and I was wondering if anyone
had seen this pattern before. Both times snort logged
718 alerts consisting of the following:

1 instances of WEB-IIS multiple decode attempt 
1 instances of FTP invalid MODE 
1 instances of WEB-MISC http directory traversal 
2 instances of WEB-IIS scripts access 
2 instances of (spp_portscan2) Portscan detected 
3 instances of WEB-IIS Unicode2.pl script (File
permission canonicalization) 
6 instances of POLICY FTP anonymous login attempt 
17 instances of WEB-IIS CodeRed v2 root.exe access 
685 instances of WEB-IIS cmd.exe access 

This may have been around awhile but its the first
time I've seen it, so I figured I would ask. If this
is something new I do have packets captures from all
the alerts.

Thanks,
  Jeremy

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - Let the expert host your site
http://webhosting.yahoo.com

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


Current thread: