A little more info to add about the IIS part of the attack...
The following files were created in C:\
05/07/01 05:41a 289 default.asp
05/07/01 05:41a 289 default.htm
05/07/01 05:41a 289 index.asp
05/07/01 05:41a 289 index.htm
The same files were created in C:\InetPub and every subdirectory under C:\InetPub.
A question... How did they automate the creation of these files in every \InetPub subdirectory? I can't think of a simple command line to do that.
On 5/5/2001 at 8:33 PM Security, Network wrote:
>howdy folks, figured i'd weigh in and let everyone know what i've been
>seeing. yesterday and today have been crazy. i only assume these are
>attacks
>from chinese because of the anti-US sentiment diplayed on the defaced
>pages:
>
>"fuck USA Government
>
>fuck PoizonBOx
>
>contact:sysadmcn_at_yahoo.com.cn"
>
>anyway, it has been a flurry of unicode exploits. The thing i've found
>about
>these attacks is that even thought they are coming from all sorts of
>geographically dispersed systems, they are all default looking installs of
>solaris, with a root shell bound to port 600. My solaris rootkit knowledge
>is a bit rusty...anyone know of rootkits that bind shells to port 600? i
>also got a copy of the files on one of the hacked host. they resided in
>/dev/cuc and also seemed to store its data in /dev/cub. also grabbb is
>running. if anyone wants a copy of what i got from the attacking machine
>drop me a line and i'll tar it up for you. so i guess this was more of an
>analysis of the attacking machines rahter than the victim machines, but the
>victim machines are rather bland. Unicode exploit, copy
>C:\winnt\system32\cmd.exe to /scripts/root.exe and then do a echo into the
>homepage. pretty bland. they seem to be launching these attacks against
>anything listening on port 80...whatever happened to the script kiddie that
>_new_ what OS they were attacking? sheesh.
>~ qarl
>
><EOF>
>================================================
>Karl Hill | Computer Specialist
>970.295.5293 | USDA Office of Cyber Security
>"...firewalls are speed bumps not brick walls."
>
>-----Original Message-----
>From: Paul Rogers [mailto:paul.rogers_at_MIS-CDS.COM]
>Sent: Thursday, May 03, 2001 7:18 AM
>To: INCIDENTS_at_SECURITYFOCUS.COM
>Subject: Re: [INCIDENTS] What "methods" are being used
>
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>> James Meritt wrote:
>>
>> A variety of web defacements reportedly originating with the
>> Chinese are
>> being reported. Anyone know what method(s) are being used?
>
>If you want some useful statistics and some basic reconnaissance
>information, I personally use www.alldas.de (this is nothing to do
>with us) because they banner check and nmap the host when it is added
>to the archive. That way you can usually hazard an educated guess on
>how the page was defaced. Since the majority of boxes are running
>IIS4/5, RDS / MSADC, Unicode and MS-Sql seem to be the favourite. I
>guess as soon as a working exploit for the ISAPI Printer issue in
>IIS5 makes a rather public appearance, the defacers worldwide will be
>using that too.
>
>> Keith McCammon wrote:
>>
>> I've also been noticing a large number of anonymous FTP
>> checks in the last
>> two days.
>
>- From what we've seen - Holland has been the favourite source of scans
>for FTP recently; RPC scans typically originate from Eastern Asia and
>South America.
>
>Cheerio,
>
>Paul Rogers,
>Network Security Analyst.
>
>MIS Corporate Defence Solutions Limited
>
>Tel: +44 (0)1622 723422 (Direct Line)
> +44 (0)1622 723400 (Switchboard)
>Fax: +44 (0)1622 728580
>Website: http://www.mis-cds.com/
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBOvFbSrnKcoQ5QY/3EQKIFACePSHNzaCDm6cvfVgFbPpRsMFMoIMAoITy
>77CA/7pQ+FEl7nG2Wexd9yWw
>=7v/N
>-----END PGP SIGNATURE-----
Received on May 10 2001
Intro
