FW: exploited win2k box, not quite sure how:

["Blake Frantz" <blake () mc net>]

I doubt you will find anything if you Google for "TaGGed By Ca$e",
that's the kiddie that compromised your host (and probably uploaded
warez).

I would start by checking the patch levels of your IIS and SQL
instances, both have remote vulns that yield system level access.
Additionally, if your website accesses the SQL instance via online forms
or queries it may be wise to check your IIS access logs for SQL
insertion type attacks.  Also, check which directories your web root and
ftp root point to, I've seen instances where directories were pointed
in, well, odd places, with no limitation on access.

As for your unopenable file, try putting the name of file in quotes:

C:\>echo Hello > "Tagged By Ca$e"

C:\>type "Tagged By Ca$e"
Hello

C:\>

If you find other directories that contain 'weird' filenames, try DIR
/X.  This will add an addition column which provides the 8.3 name of the
file or directory, use this name to reference your files.  If the file
names contain POSIX reserved names such as com1, prn, etc you will have
to refer to such files using "del \\.\c:\com1" format.  On a side note,
DIR /Q will display the owner of the file/directory, this is helpful
when trying to determine which account was compromised.  (i.e.
IUSR_<computer_name> == IIS Vuln, Administrator == IIS, SQL, etc, user1
== weak password, etc.)

I've gone on long enough, hope this helps.

Blake Frantz  A+, CNA, CCNA, MCSE
Network Security Analyst
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net



-----Original Message-----
From: John Jasen [mailto:jjasen1 () umbc edu] 
Sent: Friday, May 17, 2002 8:05 PM
To: incidents () securityfocus com
Subject: exploited win2k box, not quite sure how:



Got a wierd one here.

Win2k server, SP2
IIS 5.0
SQL server 7
ipswitch imail 6.x

Its definitely been broken into. PC-cillian bas picked up a few nimda
files, and there is a directory c:\tAGGEd with various subdirectories
under it, and an unopenable file C:\TaGGed By Ca$e.

I'm working on getting a disk image up for perusal, but that might take
a few days.

Anybody seen this yet? Searching securityfocus, McAfee, Google, and a
few other places has come up dry.

--
-- John E. Jasen (jjasen1 () umbc edu)
-- User Error #2361: Please insert coffee and try again.


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com