Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: IIS and leech
From: atrinsig <atrinsig () yahoo co nz>
Date: Sun, 10 Nov 2002 01:26:22 +1300 (NZDT)
Hi Randall. Check out this post 30/1/02. Sounds like
you may have just found your Huckelberry! Same port -
and service name - different prognosis however.

Danny P
e-Secure-it.co.nz

Subject: DDoS to microsoft sites

Follow Up Flag: Follow up
Flag Status: Flagged

We've observed two disparate clients apparently rooted
(both are Win2K I
believe), being used to packet flood a variety of
Microsoft sites (msn.com,
hotmail.com and microsoft.com itself).

Just a few seconds of IP accounting showed:

Destination              Packets               Bytes
 64.4.32.251                  14201           
20940508
 207.68.171.254               11862           
17764328
 64.4.32.1                    12142           
18184104
 207.46.197.102               59698           
89401960

These clients are on very different CIDR blocks (from
the first octet). We
don't have any further information at this time, other
than one client
saturated their T1 and the other saturated a 10Mb/s
connection.

I haven't observed any noticeable impacts to the
microsoft sites being
attacked. We have been able to track back the activity
on MRTG graphs to
last Thurs for both clients. We investigated the
traffic volume the first
day it appeared and at that time saw what appeared to
be an attack against
two hosts in .fr and one in .de. The client assured us
at this time it was
legitimate traffic.

A port scan of one of the infected hosts shows:

     7  Echo
     9  Discard
    13  Daytime
    17  Quote of the Day
    19  Character Generator
    21  File Transfer Protocol [Control]
    25  Simple Mail Transfer
    80  World Wide Web HTTP
   135  DCE endpoint resolution
   139  NETBIOS Session Service
   443  https  MCom
   445  Microsoft-DS
   548  AFP over TCP
  1025  network blackjack
  1026
  1027  ICQ?
  1433  Microsoft-SQL-Server
  5631  pcANYWHEREdata

The client claims that they are not running Appletalk
(548) but I'm not sure
whether to believe. We haven't been able to get
console access to that
machine to do any further investigation (but have
blocked it upstream). Of
the above services, most look legit from what I can
tell with the exception
of 548 and 1025-1027

Mike




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com

 --- randall perry <randallp () domain-logic com> wrote:

Greets.

An IIS box I manage freaked out yesterday.  I
initially thought that it came under attack but
after digging through what was left of the crime
scene, it looks like MS is to blame.  The most
recent event before the nightmare began was at 7pm
the night was the creation of c:\program
files\WindowsUpdate\wuaudnld.tmp\.  That tells me
that an automagic MS Windows update is what is the
root of trashing that ecommerce box that took all
day yesterday to recover (after 2 BSODs trashing it
to it to the point of not having network
connectivity) .

If that wouldn't have happened, I probably would not
have found the following:
hum.exe which is really leech ftp server was
installed on the box and setup as service to start
with the box.  I found more than 30 gig of files
(movies, MP3s)  were there under 
d:\i386\winnt[some characters]\system32\system32\
and some funny directory names.  The movies were
broken into 14meg chunks, but had sample avi files
in the directory that showed a short clip of what
the movie was.

I have no idea how this got planted there by who. 
(only the office manager and graphics person are the
only ones to access the box)

A port scan of the box showed the following ports
open
          |___    21  [ftp]   File Transfer
[Control]
      |___    25  [smtp]   Simple Mail Transfer
      |___    80  [http]   World Wide Web HTTP
      |___   135  [epmap]   DCE endpoint resolution
      |___   389  [ldap]   Lightweight Directory Access
Protocol
      |___   433  [nnsp]   NNSP
      |___   443  [https]   https  MCom
      |___   445  [microsoft-ds]   Microsoft-DS
      |___  1025  [blackjack]   network blackjack
      |___  1027  [ICQ]   ICQ?

Although typically network blackjack on port 1025, I
can assume that was the leech ftp server controlled
through port 1027.  Anyone else see this?

Randall Perry 





----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident handling,
management 
and tracking system please see:
http://aris.securityfocus.com
 


http://careers.yahoo.com.au - Yahoo! Careers
- 1,000's of jobs waiting online for you!

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]