I had this happen to my system as well.... Starting to sound to me like they
have written a script that attemtps to do this regardless of the OS.
Interesting thing is that there is a 24 hr seperation between when root.exe
was placed and when the other files were created.
-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
Behalf Of Security, Network
Sent: Saturday, May 05, 2001 9:34 PM
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: Re: What "methods" are being used
howdy folks, figured i'd weigh in and let everyone know what i've been
seeing. yesterday and today have been crazy. i only assume these are attacks
from chinese because of the anti-US sentiment diplayed on the defaced pages:
"fuck USA Government
fuck PoizonBOx
contact:sysadmcn_at_yahoo.com.cn"
anyway, it has been a flurry of unicode exploits. The thing i've found about
these attacks is that even thought they are coming from all sorts of
geographically dispersed systems, they are all default looking installs of
solaris, with a root shell bound to port 600. My solaris rootkit knowledge
is a bit rusty...anyone know of rootkits that bind shells to port 600? i
also got a copy of the files on one of the hacked host. they resided in
/dev/cuc and also seemed to store its data in /dev/cub. also grabbb is
running. if anyone wants a copy of what i got from the attacking machine
drop me a line and i'll tar it up for you. so i guess this was more of an
analysis of the attacking machines rahter than the victim machines, but the
victim machines are rather bland. Unicode exploit, copy
C:\winnt\system32\cmd.exe to /scripts/root.exe and then do a echo into the
homepage. pretty bland. they seem to be launching these attacks against
anything listening on port 80...whatever happened to the script kiddie that
_new_ what OS they were attacking? sheesh.
~ qarl
<EOF>
================================================
Karl Hill | Computer Specialist
970.295.5293 | USDA Office of Cyber Security
"...firewalls are speed bumps not brick walls."
-----Original Message-----
From: Paul Rogers [mailto:paul.rogers_at_MIS-CDS.COM]
Sent: Thursday, May 03, 2001 7:18 AM
To: INCIDENTS_at_SECURITYFOCUS.COM
Subject: Re: [INCIDENTS] What "methods" are being used
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> James Meritt wrote:
>
> A variety of web defacements reportedly originating with the
> Chinese are
> being reported. Anyone know what method(s) are being used?
If you want some useful statistics and some basic reconnaissance
information, I personally use www.alldas.de (this is nothing to do
with us) because they banner check and nmap the host when it is added
to the archive. That way you can usually hazard an educated guess on
how the page was defaced. Since the majority of boxes are running
IIS4/5, RDS / MSADC, Unicode and MS-Sql seem to be the favourite. I
guess as soon as a working exploit for the ISAPI Printer issue in
IIS5 makes a rather public appearance, the defacers worldwide will be
using that too.
> Keith McCammon wrote:
>
> I've also been noticing a large number of anonymous FTP
> checks in the last
> two days.
- From what we've seen - Holland has been the favourite source of scans
for FTP recently; RPC scans typically originate from Eastern Asia and
South America.
Cheerio,
Paul Rogers,
Network Security Analyst.
MIS Corporate Defence Solutions Limited
Tel: +44 (0)1622 723422 (Direct Line)
+44 (0)1622 723400 (Switchboard)
Fax: +44 (0)1622 728580
Website: http://www.mis-cds.com/
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBOvFbSrnKcoQ5QY/3EQKIFACePSHNzaCDm6cvfVgFbPpRsMFMoIMAoITy
77CA/7pQ+FEl7nG2Wexd9yWw
=7v/N
-----END PGP SIGNATURE-----
Received on May 10 2001
Intro
