Security Incidents mailing list archives
RE: Trojan of somesort - Update
From: "Lachniet, Mark" <mlachniet () sequoianet com>
Date: Thu, 27 May 2004 16:39:05 -0400
I agree with Harlan. Just for yucks, I threw up a totally patched Win2k box on my cable modem segment. It was hardened, wasn't used for browsing, etc. The *only* thing I changed was a single check box in IIS that said to allow write access on the FTP server. Of course, since default filesystem permissions allow anyone to write to the drive, that meant public write capability. I kept an eye on the box to see how long it took for the warez guys to find it. The results: 1) About a week for the "mkdir" scanner to find the site and tag it (there is honor among thieves?) 2) About 2 weeks for the warez person to come back and create the file structure (a bunch of really deep directories with names like COM1 and LPT1 that are painful to remove) 3) About 1 week for the uploads to arrive (darn, it was french movies) 4) About 1 day before the leeches arrived and started downloading 5) About .5 days later I pulled it down and sent it to a local forensic examiner for fun Anyway, *if* the box is truly hacked, you can bet you'll find the usual pubstros - IRC bots, multiple FTP servers on weird ports, etc, but just finding warez is no indication you were hacked. Mark Lachniet
-----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Thursday, May 27, 2004 3:27 PM To: incidents () securityfocus com Cc: Paul Schmehl; Bob the Builder Subject: Re: Trojan of somesort - Update Paul,This is not surprising. It's been my experience that boxesthat get"tagged" (i.e. set up as ftp sites for warez) get hacked byautomatedscripts and later get filled up with warez.While it's true that the "tagged" FTP sites were filled w/ warez, my own investigations into these events showed quite clearly that not a single site was "hacked". Rather, the automated script would look for FTP sites that allowed an anonymous user to write to the drive (check was done using "mkdir" command). As the script was automated, it simply rm'd the directory it created (if successful) and recorded the IP address for later use. Again, by simply reviewing the logs, it was easy to see that none of the sites was "hacked".
Current thread:
- Re: Trojan of somesort - Update, (continued)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)
- RE: Trojan of somesort - Update David Gillett (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Administrivia: Trojan of somesort - Hack definition branch == dead Daniel Hanson (May 29)