Security Incidents mailing list archives
Re: new attack tool combining SMB and WebDAV?
From: Bill McCarty <bmccarty () apu edu>
Date: Mon, 31 Mar 2003 14:25:28 -0800
Hi Matt and all,One of my Windows honeypots has logged this attack. I see both the ICMP datagrams having lower case letters reported by Matt Power and the upper case Es reported by James Slora. The tool succeeded in compromising the honeypot, presumably via the honeypot's weak (actually null) admin password. However, the attack might instead have capitalized on some IIS vulnerability, such as Web-DAV. I haven't found time to analyze the traffic or host in detail.
The attacker established a ServU FTP server running on port 61337, identifying himself by the user ID xtahc. He provided the server with the following banner (please pardon the anticipated line wraps):
mkd 10mkd 11 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
!¡!¡!¡!¡!¡!¡!¡!¡mkd 12 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Inf-alliance ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 13 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
!¡!¡!¡!¡!¡!¡!¡!¡mkd 14 !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Games ] ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 15 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ Movies ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 16 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Appz ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 17 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ MP3's ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 18 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
!¡!¡!¡!¡!¡!¡!¡!¡mkd 19 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡! [ Filled by ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 20 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ [ ©2003 Physix Productions ] !¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡ mkd 21 ¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡!¡
!¡!¡!¡!¡!¡!¡!¡!¡ mkd 22Other information identified the compromised server as belonging to the OutpostFXP Pubstro community. I've been unable to learn more about that community.
I can dig up other information if doing so would be helpful. But, I'm pretty jammed just now.
Cheers, --------------------------------------------------- Bill McCarty ---------------------------------------------------------------------------- Powerful Anti-Spam Management and More... SurfControl E-mail Filter puts the brakes on spam, viruses and malicious code. Safeguard your business critical communications. Download a free 30-day trial: http://www.securityfocus.com/SurfControl-incidents
Current thread:
- Re: new attack tool combining SMB and WebDAV? Bill McCarty (Mar 31)
- <Possible follow-ups>
- RE: new attack tool combining SMB and WebDAV? Toby Miller (Apr 01)