Security Incidents mailing list archives

RE: Attack(s) caught by Okena

From: Marcus Gavel <mgavel () okena com>
Date: Wed, 11 Jun 2003 10:07:57 -0400
The third event is not an attack.

You will find that the mailslot message occurs when the IIS server is
restarted. 
The default IIS policy is restrictive and denies access to resource we did
not 
deem essential to running a basic IIS server. If you attempt to use
FrontPage
functions with the default policy, you'll likely run into the same
restrictions
as FrontPage was not deems essential.

After discussions in the engineering group, we cannot recall any reason to 
specifically deny this resource. It was caught under the best practice of
deny 
all and open only what is needed. Feel free to contact support, they can
walk 
you through the policy change that has been proposed for the 4.0 release.

Marcus Gavel
Cisco Systems - Cisco Security Agent
  fka Okena - StormWatch


-----Original Message-----
From: Dimitri Limanovski [mailto:dlimanov () sct com]
Sent: Tuesday, June 10, 2003 10:53 AM
To: incidents () securityfocus com
Cc: Joe Mitchell
Subject: Attack(s) caught by Okena


Hello everyone..
In my evaluation of Okena (now Cisco) HIPS, I built a test system with
"virgin" Win2K Server install that included full install of IIS.
Machine was not patched (not even an SP1) and placed out in the wild
without any kind of protection other than Okena's default Server,
Firewall and IIS policy modules.
As of two month of repetitive attacks, it has yet to be compromised.
99% of the attacks are standard port scans and NetBIOS enumeration
attempts along with numerous attempts to overflow buffer with various
IIS vulnerabilities.
Lately, I have seen the following entries in the Event Viewer that I
can not interpret. Based on the time stamp, this looks like one attack
but I can't figure out exactly which one. First two events look like
standard buffer overflow against inetinfo.exe. It's interesting to
note that while all of the usual dafault.ida?XXXXX and WebDAV attempts
are recorded in Web logs, this one isn't showing up anywhere aside
from Event Viewer. The third event looked to me like some kind of
variant of SMBNuke/SMBDie attack, based on
'\\TEST**\MAILSLOT\NET\NETLOGON' signature, but it's being called by
inetinfo.exe which I haven't seen before.
Has anyone seen anything like this before? Any input is much
appreciated!

Dimitri

<start event 1>
Event Type: Warning
Event Source:     StormWatchAgent
Event Category:   Kernel Rule
Event ID:   256
Date:       6/10/2003
Time:       1:53:30 AM
User:       N/A
Computer:   IISTEST
Description:
The application 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user
IISTEST\IUSR_IISTEST) tried to call the function LoadLibraryA from a
buffer (the return address was 0x45b7b1). The code at this address is
'00005753 325f3332 2e444c4c 00ff55f4 8945bce8 07000000 736f636b
657400ff' This either happens when a program uses self-modifying code
or when a program has been subverted by a buffer overflow attack. The
user chose 'Terminate (no user interaction allowed)'.
</end event 1>

<start event 2>
Event Type: Error
Event Source:     StormWatchAgent
Event Category:   Kernel Rule
Event ID:   256
Date:       6/10/2003
Time:       1:53:30 AM
User:       N/A
Computer:   IISTEST
Description:
The application 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user
IISTEST\IUSR_IISTEST) tried to call the function LoadLibraryA from a
buffer (the return address was 0x45b7b1). The code at this address is
'00005753 325f3332 2e444c4c 00ff55f4 8945bce8 07000000 736f636b
657400ff' This either happens when a program uses self-modifying code
or when a program has been subverted by a buffer overflow attack. The
program was terminated.
</end event 2>

<start event 3>
Event Type: Error
Event Source:     StormWatchAgent
Event Category:   Kernel Rule
Event ID:   256
Date:       6/10/2003
Time:       1:53:32 AM
User:       N/A
Computer:   IISTEST
Description:
The process 'C:\WINNT\system32\inetsrv\inetinfo.exe' (as user NT
AUTHORITY\SYSTEM) tried to open/write the file
'\\TEST**\MAILSLOT\NET\NETLOGON' and was denied.
</end event 3>



----------------------------------------------------------------------------
----------------------------------------------------------------------------

----------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:

Attack(s) caught by Okena Dimitri Limanovski (Jun 10)
- RE: Attack(s) caught by Okena Chris Fussell (Jun 11)
- <Possible follow-ups>
- RE: Attack(s) caught by Okena Marcus Gavel (Jun 11)