Security Incidents mailing list archives

RE: Trojan of somesort - Update

From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Thu, 27 May 2004 16:39:05 -0400

I agree with Harlan.  Just for yucks, I threw up a totally patched Win2k
box on my cable modem segment.  It was hardened, wasn't used for
browsing, etc.  The *only* thing I changed was a single check box in IIS
that said to allow write access on the FTP server.  Of course, since
default filesystem permissions allow anyone to write to the drive, that
meant public write capability.

I kept an eye on the box to see how long it took for the warez guys to
find it.  The results:

1)  About a week for the "mkdir" scanner to find the site and tag it
(there is honor among thieves?)
2)  About 2 weeks for the warez person to come back and create the file
structure (a bunch of really deep directories with names like COM1 and
LPT1 that are painful to remove)
3)  About 1 week for the uploads to arrive (darn, it was french movies)
4)  About 1 day before the leeches arrived and started downloading
5)  About .5 days later I pulled it down and sent it to a local forensic
examiner for fun

Anyway, *if* the box is truly hacked, you can bet you'll find the usual
pubstros - IRC bots, multiple FTP servers on weird ports, etc, but just
finding warez is no indication you were hacked.

Mark Lachniet

-----Original Message-----
From: Harlan Carvey [mailto:keydet89 () yahoo com] 
Sent: Thursday, May 27, 2004 3:27 PM
To: incidents () securityfocus com
Cc: Paul Schmehl; Bob the Builder
Subject: Re: Trojan of somesort - Update

Paul,

This is not surprising.  It's been my experience that boxes

that get

"tagged" (i.e. set up as ftp sites for warez) get hacked by

automated

scripts and later get filled up with warez.


While it's true that the "tagged" FTP sites were filled w/ 
warez, my own investigations into these events showed quite 
clearly that not a single site was "hacked".  Rather, the 
automated script would look for FTP sites that allowed an 
anonymous user to write to the drive (check was done using 
"mkdir" command).  As the script was automated, it simply 
rm'd the directory it created (if successful) and recorded 
the IP address for later use.

Again, by simply reviewing the logs, it was easy to see that 
none of the sites was "hacked".

Current thread:

Re: Trojan of somesort - Update, (continued)
- - - Re: Trojan of somesort - Update Paul Schmehl (May 28)
    - Re: Trojan of somesort - Update Harlan Carvey (May 28)
    - Re: Trojan of somesort - Update Gadi Evron (May 28)
    - Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
    - Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Martin Mačok (May 28)
- Re: Trojan of somesort - Update Derek (May 28)
  - RE: Trojan of somesort - Update David Gillett (May 28)
  - Re: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update Lachniet, Mark (May 28)
- RE: Trojan of somesort - Update Steven Trewick (May 28)
  - Administrivia: Trojan of somesort - Hack definition branch == dead Daniel Hanson (May 29)