Security Incidents mailing list archives
RE: New scanner?
From: "newsletters" <listserv () citadelconsulting net>
Date: Thu, 21 Nov 2002 21:10:41 -0500
Jeremy, I'm not sure if your serious or not, but this is probably the most common IIS exploit found. Wherever the destination address is located you're going to find IIS and a compromised scripts directory. The command (cmd.exe) interpreter has been renamed and copied to the c:\inetpub\scripts\root.exe and the intruder is using it to gain command line access to your system. This is basically the ultimate goal of a hacker. You need to search the system for root.exe and delete it. In addition you need to check and reset the permissions for C:\inetpub\*. At a minimum change the scripts directory to read only. Do a search on bugtraq for codered II. That should give you a more detailed action plan. My opinion would be to rebuild the box with all current patches and service packs. Good Luck! CB -----Original Message----- From: Jeremy [mailto:prrthd25 () yahoo com] Sent: Wednesday, November 20, 2002 10:30 AM To: incidents () securityfocus com Subject: New scanner? Hello all, My snort box picked this up yesterday fron two different source ip's and I was wondering if anyone had seen this pattern before. Both times snort logged 718 alerts consisting of the following: 1 instances of WEB-IIS multiple decode attempt 1 instances of FTP invalid MODE 1 instances of WEB-MISC http directory traversal 2 instances of WEB-IIS scripts access 2 instances of (spp_portscan2) Portscan detected 3 instances of WEB-IIS Unicode2.pl script (File permission canonicalization) 6 instances of POLICY FTP anonymous login attempt 17 instances of WEB-IIS CodeRed v2 root.exe access 685 instances of WEB-IIS cmd.exe access This may have been around awhile but its the first time I've seen it, so I figured I would ask. If this is something new I do have packets captures from all the alerts. Thanks, Jeremy __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - Let the expert host your site http://webhosting.yahoo.com ------------------------------------------------------------------------ ---- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- New scanner? Jeremy (Nov 21)
- RE: New scanner? newsletters (Nov 22)
- RE: New scanner? Jason Frey (Nov 25)
- Re: New scanner? Russell Fulton (Nov 24)
- RE: New scanner? newsletters (Nov 22)