mailing list archives
got hit with iiscrack, trying to learn how it was done
From: jeffrey mergler <jeffreymergler () hotmail com>
Date: 5 Nov 2002 17:14:22 -0000
I think I understand how this incident occurred but there are some pieces
that I feel I do not understand. Specifically, I would like to understand
start to finish, how it happened, where I went wrong, and how to prevent
it. Here's the executive summary.
We installed IIS 5 on a server, exposed http thru the firewall in order to
test a new web based email program that works with our mail server. Mail
server, IIS, new mail software all on same NT 4 box.
Unfortunately, we installed all windows update pathes but were not
diligent enough to install this one:
IIS 5.0 Privilege Escalation Exploit (Entercept Advisory):
I am aware that not this lack of diligence here with patch installs would
have prevented the problem.
We noticed nothing until we experienced (I guess) classic symptoms of a
DOS attack. Internet access was dead from all computer on the network.
After some examination of firewall logs, we realized we were being used as
a source DDoS attack (against the US DOD no less, which infuriates me even
We cut the server off and starting looking for problems. I found in my
a .cmd file that opened up an ftp client session, connected anonomously to
some college server, and downloaded a file which then got renamed to
httpodbc.dll. this backdoor dll is the infamous exploit described above.
This fascinated me... how did this thing work? Well I poked around and
found this file on www.digitaloffence.net and intentionally infected a
laptop and connected to that laptop and voila, i have cmd line control of
the other laptop. dang.
so, after pieceing together all of this, i am still puzzled. i do not
a) how the person used the vulnerability to get the cmd file onto the
computer and executed it. .once the dll is installed, its straihforward
to use, and i understand complely how ftp got it there. but how did the
cmd file get there in the first place, and how was it executed?
b) i think that the iis priv escalation vuln is what allows the
iiscrack.dll/httpodbc.dll backdoor to do its stuff (control the pc) but is
that vuln also the hole that allowed the hacker to get that cmd file on
there, which in turn started the ftp session? I am definitely missing
b) finally, how the did norton system security not stop that file from
being copied/ftp'ed to the server? when i intentionally infected a
laptop, i had to shut off real-time fiel protection. the hacked server
also had this norton installed, virus defs up-to-date, and real-time file
Can someone fill in some of the missing pieces?
- got hit with iiscrack, trying to learn how it was done jeffrey mergler (Nov 07)