Security Basics mailing list archives
got hit with iiscrack, trying to learn how it was done
From: jeffrey mergler <jeffreymergler () hotmail com>
Date: 5 Nov 2002 17:14:22 -0000
I think I understand how this incident occurred but there are some pieces that I feel I do not understand. Specifically, I would like to understand start to finish, how it happened, where I went wrong, and how to prevent it. Here's the executive summary. We installed IIS 5 on a server, exposed http thru the firewall in order to test a new web based email program that works with our mail server. Mail server, IIS, new mail software all on same NT 4 box. Unfortunately, we installed all windows update pathes but were not diligent enough to install this one: IIS 5.0 Privilege Escalation Exploit (Entercept Advisory): http://online.securityfocus.com/archive/101/209309 I am aware that not this lack of diligence here with patch installs would have prevented the problem. We noticed nothing until we experienced (I guess) classic symptoms of a DOS attack. Internet access was dead from all computer on the network. After some examination of firewall logs, we realized we were being used as a source DDoS attack (against the US DOD no less, which infuriates me even more). We cut the server off and starting looking for problems. I found in my webroot/scripts folder: a .cmd file that opened up an ftp client session, connected anonomously to some college server, and downloaded a file which then got renamed to httpodbc.dll. this backdoor dll is the infamous exploit described above. This fascinated me... how did this thing work? Well I poked around and found this file on www.digitaloffence.net and intentionally infected a laptop and connected to that laptop and voila, i have cmd line control of the other laptop. dang. so, after pieceing together all of this, i am still puzzled. i do not understand: a) how the person used the vulnerability to get the cmd file onto the computer and executed it. .once the dll is installed, its straihforward to use, and i understand complely how ftp got it there. but how did the cmd file get there in the first place, and how was it executed? b) i think that the iis priv escalation vuln is what allows the iiscrack.dll/httpodbc.dll backdoor to do its stuff (control the pc) but is that vuln also the hole that allowed the hacker to get that cmd file on there, which in turn started the ftp session? I am definitely missing something here! b) finally, how the did norton system security not stop that file from being copied/ftp'ed to the server? when i intentionally infected a laptop, i had to shut off real-time fiel protection. the hacked server also had this norton installed, virus defs up-to-date, and real-time file protection enabled. Can someone fill in some of the missing pieces? Thanks!! Jeff
Current thread:
- got hit with iiscrack, trying to learn how it was done jeffrey mergler (Nov 07)
- <Possible follow-ups>
- re: got hit with iiscrack, trying to learn how it was done H C (Nov 09)