Re: exploited win2k box, not quite sure how:

["Scott Fendley" <scottf () uark edu>]

There are several things I would look at on this computer.

Was there an admin password set on the computer?  There has been a long
discussion on the Unisog mailing list about Univs getting hit by hackers
walking right through the front door on 2k/XP machines.  If the admin
password was easy or NULL, this would be my first guess.

The second thing I would look for is to make sure that the IIS ftp server
was not set to allow anonymous users a chance to write to the hard drive.
We have had a slew of 0-day ftp servers show up with similar tagging
methods.  The tagging file/directories are used by automated processes
that are seeing if they can write a file to the computer before they try
to push their Warez/Porn/Junk on your computer and announcing it to their
buddies to download.

The third thing I would wonder is if you have a root.exe available under
the inetpub directory for the web server.  If you have nimda droppings on
your computer, chances are that you were exposed to Nimda and hackers are
using the root.exe to execute arbitrary commands on your system.  This
could come down through the IIS server, email, open file shares, and other
possible attack vectors if it was just nimda.

The last one I would check Has the SA account on SQL server had a password
set?  Has it been patched?  There are intrusions that are occuring due to
SQL statements that can be mangled in such a way that arbitrary commands
can be executed.

Have you looked through the logs of the IIS servers you are using to see
what evidence may be still there?  Are you sure that you have patched all
of the computer (IIS, SQL, Win2k past the SP2 patches)?  There is very
limited information that you have mentioned in the below email, so I can
only guess on likely possibilities from my experience on a Univ campus.
Maybe the above possibilities can help you determine which of the attack
methods might be possible.  Look through the IIS logs and see if there is
anything in there that makes you suspect one of the above over the others.

If you would like me to send you the references to each of the above from
various mailing lists and web sites, I would be willing to sit down later
tonight and look them up for you.

Scott


On Fri, 17 May 2002, John Jasen wrote:

> Got a wierd one here.
>
> Win2k server, SP2
> IIS 5.0
> SQL server 7
> ipswitch imail 6.x
>
> Its definitely been broken into. PC-cillian bas picked up a few nimda
> files, and there is a directory c:\tAGGEd with various subdirectories
> under it, and an unopenable file C:\TaGGed By Ca$e.
>
> I'm working on getting a disk image up for perusal, but that might take a
> few days.
>
> Anybody seen this yet? Searching securityfocus, McAfee, Google, and a few
> other places has come up dry.
>
> --
> -- John E. Jasen (jjasen1 () umbc edu)
> -- User Error #2361: Please insert coffee and try again.
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com