Security Incidents mailing list archives
Re: Trojan of somesort - Update
From: Paul Schmehl <pauls () utdallas edu>
Date: Thu, 27 May 2004 21:59:03 -0500
--On Thursday, May 27, 2004 12:26 PM -0700 Harlan Carvey <keydet89 () yahoo com> wrote:
That's interesting. The last one that I looked at had been hacked through IIS, using RFP's MSACD exploit - twice - in two different months. (This was obvious by correlating the dates of the log entries with the creation dates of the corresponding files. Others that I've studied were hacked through MSSQL server, because the sa password was either blank or easily guessed. One that used to get hacked constantly (until I fixed the problem permanently) was being hacked through the IIS directory traversal vulnerability.Paul,This is not surprising. It's been my experience that boxes that get "tagged" (i.e. set up as ftp sites for warez) get hacked by automated scripts and later get filled up with warez.While it's true that the "tagged" FTP sites were filled w/ warez, my own investigations into these events showed quite clearly that not a single site was "hacked". Rather, the automated script would look for FTP sites that allowed an anonymous user to write to the drive (check was done using "mkdir" command). As the script was automated, it simply rm'd the directory it created (if successful) and recorded the IP address for later use. Again, by simply reviewing the logs, it was easy to see that none of the sites was "hacked".
We did have an administrator who kept setting up an anonymous upload site and couldn't figure out how the skiddies were finding it so fast, but in our network that's been the exception rather than the rule.
Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu
Current thread:
- Re: Trojan of somesort - Update Bob the Builder (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- Re: Trojan of somesort - Update Harlan Carvey (May 27)
- RE: Trojan of somesort - Update James C Slora Jr (May 28)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update James C Slora Jr (May 29)
- RE: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Pho Man (May 27)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Re: Trojan of somesort - Update Paul Schmehl (May 27)
- Re: Trojan of somesort - Update Paul Schmehl (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Trojan of somesort - Update Gadi Evron (May 28)
- Changing file times, was -> Re: Trojan of somesort - Update Harlan Carvey (May 28)
- Re: Changing file times, was -> Re: Trojan of somesort - Update Gadi Evron (May 28)
- <Possible follow-ups>
- Re: Trojan of somesort - Update Derek (May 28)
- RE: Trojan of somesort - Update David Gillett (May 28)
- Re: Trojan of somesort - Update Harlan Carvey (May 28)
- RE: Trojan of somesort - Update Lachniet, Mark (May 28)