RE: strange exploit in Win2K server

From: Dan Norton (dan@ware.net)
Date: 12/06/01 

Date: Thu, 6 Dec 2001 08:12:43 -0800
From: "Dan Norton" <dan@ware.net>
To: "Tim Weickert" <tim.weickert@energis-ision.com>, <focus-ms@securityfocus.com>

I found the hack...

Basically by creating the "com1" folder it allows you to create nested
folders and the only way to remove it is by using rm.exe. I even found
instructions on how to set this hack up on other servers with anonymous
write permissions enabled (on a hacker's website). Luckily, this server
was not doing anything in particular and had all the patches installed
(sp2 and all hotfixes currently available) but in my haste had forgotten
to turn off the FTP services on IIS5 as I usually do.

I hope microsoft fixes this "com1" bug at some point. I was able to
replicate what the hacker did on a test platform I set up internally and
it's pretty scary how easy it is to lock a folder in such a way.

Dan Norton
Network Administrator

WareNet
dan@ware.net
(949) 417 - 2300 x 2360
(888) 927 - 3329 (Fax)
WebSite Development, Web Hosting, Connectivity, Colocation

-----Original Message-----
From: Tim Weickert [mailto:tim.weickert@energis-ision.com]
Sent: Thursday, December 06, 2001 8:11 AM
To: Dan Norton; focus-ms@securityfocus.com
Subject: Re: strange exploit in Win2K server

hi dan,
you should check the properties of your ftp-server
is the anonymous account write "disabled"?

tim

Dan Norton wrote:
>
> OK, I had just installed Win2K server with SP2 and all the hotfixes on
a
> server and given it a public IP. Terminal services was also installed.
>
> Within a few days I noticed that outbound traffic from the server was
> quite high so I fired up etherpeek and found that FTP was being used
to
> transfer MP3 files from the machine to an address on telia.com.
>
> After pulling the network plug I checked out the hard drive. The
> "groups" directory was 4 GB! In the folder for one of the websites,
> there was a directory called "com1" which I was unable to open. When I
> double clicked on the folder in explorer, the window froze. When I
used
> dos and tried to cd to the directory it returned an error of "the
> parameter is incorrect."
>
> I also noticed that my internet services control panel is now
completely
> missing.
>
> What happened? Rather, how was this machine exploited so quickly and
> with all the latest fixes?
>
> It was running IIS5.
>
> Dan Norton
> Network Administrator
>
> deveyn@aol.com

Relevant Pages

  • Re: Email enable doc lib
    ... navigate to the public folder and send some posts with attachments to the ... Microsoft CSS Online Newsgroup Support ... I have disabled forms base Athentication from the default V.Smtp server ...
    (microsoft.public.windows.server.sbs)
  • Re: Newbie with a smallbiz2000 installation, check my config?
    ... > Windows creates a profile path under Documents & Settings. ... > a folder with that name already exists (maybe a local user with the ... > server, open the properties for this folder, and ensure that you have ... > you redirect key folders from a user's profile to a location on your ...
    (microsoft.public.backoffice.smallbiz2000)
  • Re: Network shares cannot connect
    ... User Name: SERVER$ ... Regarding the shares accessing problem, I suggest you try following steps ... let's focus on the Users Shared Folder first. ... To check this permission, please click the Advanced button, select ...
    (microsoft.public.windows.server.sbs)
  • Re: Disappearing disk space?
    ... I switched off the AV scanning completely last night and the ... Windows Server 2003, Windows 2000, or Windows XP ... %systemroot%\Sysvol folder ... KB309422 - Guidelines for choosing antivirus software to run on the ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS 2003 folder redirection, offline files, ..and more
    ... you log into a shared PC with admin rights and go to Windows Explorer Folder ... documents are redirected to the server. ... without redirection, they wouldn't have been. ...
    (microsoft.public.windows.server.sbs)
Quantcast