Re: automatic hacking tool for IIS?

[Patrick Andry <pandry () wolverinefreight ca>]

I've run into one of these machines.  It made a single request for 
"/scripts/..%5c%5c../winnt/system32/cmd.exe".  Some research on the box 
showed it to be an unadministered NT box.  Being as it seemed to be a 
forgotten child, I portscanned it, telnetted to some of the open ports, 
and found the exact same thing.  Serve_u on port 2002, box vulnerable to 
unicode exploit.
The FTP message differed, which leads me now to believe that it's a tool 
 making the rounds.

Matt Andreko wrote:
> I have recently seen a few computers at a client site, that have been
> compromised, apparently because of unpatched IIS servers.  I mainly
> assumed that they were just done all together, since they had the same
> "style" of break-in.  Some IIS hack was done, and a copy of ServU was
> uploaded, and ran on port 2002.  (The ServU config file is at the bottom
> of this email).  All the files were stored in
> "c:\inetpub\iissamples\homepage\themes\journal\file\move\up\".  The
> messages for the FTP server state "Hacked by Hollowman for Rotter
> Board".
> Then I was at another client site, and saw a machine compromised the
> exact same way, and thought it to be more than a coincidence.  I believe
> that there is an automated tool going around to auto-hack IIS machines
> that are open, and make them a public dump site for warez (pirated
> software WAS found on these machines, in the folder listed above)
>
> Does anyone know if this is some automated attack roaming on the net by
> script kiddiez, or are there just a lot of people hacking machines the
> exact same way?




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com