Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Trojan of somesort - Update

From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 27 May 2004 21:59:03 -0500
--On Thursday, May 27, 2004 12:26 PM -0700 Harlan Carvey <keydet89 () yahoo com> wrote: 


Paul,


This is not surprising.  It's been my experience
that boxes that get
"tagged" (i.e. set up as ftp sites for warez) get
hacked by automated
scripts and later get filled up with warez.


While it's true that the "tagged" FTP sites were
filled w/ warez, my own investigations into these
events showed quite clearly that not a single site was
"hacked".  Rather, the automated script would look for
FTP sites that allowed an anonymous user to write to
the drive (check was done using "mkdir" command).  As
the script was automated, it simply rm'd the directory
it created (if successful) and recorded the IP address
for later use.

Again, by simply reviewing the logs, it was easy to
see that none of the sites was "hacked".
That's interesting. The last one that I looked at had been hacked through IIS, using RFP's MSACD exploit - twice - in two different months. (This was obvious by correlating the dates of the log entries with the creation dates of the corresponding files. Others that I've studied were hacked through MSSQL server, because the sa password was either blank or easily guessed. One that used to get hacked constantly (until I fixed the problem permanently) was being hacked through the IIS directory traversal vulnerability.
We did have an administrator who kept setting up an anonymous upload site and couldn't figure out how the skiddies were finding it so fast, but in our network that's been the exception rather than the rule. 

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu
Previous By Date Next
Previous By Thread Next

Current thread: