Security Incidents mailing list archives
Re: automatic hacking tool for IIS?
From: Patrick Andry <pandry () wolverinefreight ca>
Date: Wed, 19 Jun 2002 17:16:54 -0400
I've run into one of these machines. It made a single request for "/scripts/..%5c%5c../winnt/system32/cmd.exe". Some research on the box showed it to be an unadministered NT box. Being as it seemed to be a forgotten child, I portscanned it, telnetted to some of the open ports, and found the exact same thing. Serve_u on port 2002, box vulnerable to unicode exploit. The FTP message differed, which leads me now to believe that it's a tool making the rounds.
Matt Andreko wrote:
I have recently seen a few computers at a client site, that have been compromised, apparently because of unpatched IIS servers. I mainly assumed that they were just done all together, since they had the same "style" of break-in. Some IIS hack was done, and a copy of ServU was uploaded, and ran on port 2002. (The ServU config file is at the bottom of this email). All the files were stored in "c:\inetpub\iissamples\homepage\themes\journal\file\move\up\". The messages for the FTP server state "Hacked by Hollowman for Rotter Board". Then I was at another client site, and saw a machine compromised the exact same way, and thought it to be more than a coincidence. I believe that there is an automated tool going around to auto-hack IIS machines that are open, and make them a public dump site for warez (pirated software WAS found on these machines, in the folder listed above) Does anyone know if this is some automated attack roaming on the net by script kiddiez, or are there just a lot of people hacking machines the exact same way?
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- automatic hacking tool for IIS? Matt Andreko (Jun 19)
- Re: automatic hacking tool for IIS? Patrick Andry (Jun 19)