Re: [incident] IIS defacement through FTP, possible DoS

From: Matthew.Brown@predictive.com
Date: 06/05/02 

To: forensics@securityfocus.com, incidents@securityfocus.com
From: Matthew.Brown@predictive.com
Date: Wed, 5 Jun 2002 10:33:34 -0700

Lain

        I haven't run across this in the wild. Just wanted to let you know
that this isn't the first time I've seen more than just scripts coming
from the RIPE.NET domain out of Deutschland (Germany). I've seen it on at
least two incidents I've been on over the past six months.

Thanks,
Matthew Brown, CISSP, SSCP
Principal Security Consultant
Predictive Systems

"Iain Craig" <i.craig@gael.net>
06/05/2002 01:40 AM

 
        To: <forensics@securityfocus.com>
        cc: <incidents@securityfocus.com>
        Subject: [incident] IIS defacement through FTP, possible DoS

Hi all,

Was wondering if anyone is aware of an IIS FTP server exploit that allows
an attacker the read/write access of a single given legimate user's
folders and also zeroes the log file?

I've just seen this behaviour on a box running Win2K Advanced Server SP2
and IIS 5.

The box hosts many websites, one of which was defaced; looking at the web
logs I see no suspicious activity at all (no POST attempts even - the
site's fairly simple and doesn't need POST at all - also no FrontPage).
Checking the FTP logs, which is the site's owner's only way in, I see the
log for when the attack happened (on hourly rotation) is precisely 64Kb of
00h.

Is this "just" a cunning FTP server exploit or, given the nature of the
logfile, should I be concerned that a higher level of access to the box
has been acheived?

In logs for the days prior to the compromise I see connections to the FTP
server that are certainly odd but don't match a brute force attack
fingerprint:

<snip>
02:08:50 81.65.186.118 anonymous@ftp.microsoft.com MSFTPSVC1 BOXNAME
IP.OF.THE.BOX 21 [27]USER anonymous@ftp.microsoft.com - 331 0 0 0 0 FTP -
- - -
02:08:50 81.65.186.118 anonymous@ftp.microsoft.com MSFTPSVC1 BOXNAME
IP.OF.THE.BOX 21 [28]USER anonymous@ftp.microsoft.com - 331 0 0 0 0 FTP -
- - -
02:08:50 81.65.186.118 anonymous@ftp.microsoft.com MSFTPSVC1 BOXNAME
IP.OF.THE.BOX 21 [29]USER anonymous@ftp.microsoft.com - 331 0 0 0 0 FTP -
- - -
02:08:50 81.65.186.118 anonymous@ftp.microsoft.com MSFTPSVC1 BOXNAME
IP.OF.THE.BOX 21 [30]USER anonymous@ftp.microsoft.com - 331 0 0 0 0 FTP -
- - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [1]PASS - -
530 1326 0 0 235 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [5]PASS - -
530 1326 0 0 219 FTP - - - -
02:08:50 81.65.186.118 - MSFTPSVC1 BOXNAME IP.OF.THE.BOX 21 [2]PASS - -
530 1326 0 0 219 FTP - - - -
<snip>

There was a LOT of those, all very fast like a DoS attempt. Other
usernames I was seeing in a similar DoS fashion from the same time and IP
were Ogpuser@home.com, Kgpuser@home.com, and Lgpuser@home.com

Anyone know of a kiddie tool that uses these names?

Incidentally, from the WHOIS on that IP:

inetnum: 81.64.0.0 - 81.67.255.255
netname: FR-CYBERCABLE-20020103
descr: LYONNAISE COMMUNICATIONS
                       PROVIDER Local Registry
country: FR
admin-c: LC220-RIPE
tech-c: LC224-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS6678-MNT
mnt-routes: AS6678-MNT
changed: hostmaster@ripe.net 20020103
changed: hostmaster@ripe.net 20020108
source: RIPE

That's not the only IP these DoS-ish requests came from; going through the
others now. Wondering if I'm dealing with two seperate incidents here, the
defacement and a seperate DoS or DDoS.

Any advice or guidance appreciated.

Best regards,
Iain C 

-- 
Iain Craig

-- 
Iain Craig - Systems Administrator

Gael.net Ltd - Web Developers & Internet Consultants
Telematic Centre,
Broom Place,
Dunvegan Road,
Portree,
Isle of Skye
Scotland
IV51 9HL

t: +44 (0)1478 613 300
f: +44 (0)1478 614 929
e: i.craig@gael.net
w: www.gael.net

Need "Instant Web Publishing"? Try www.sitekit.net
Need "Instant E-commerce"? Try www.shopkit.net
Need effective e-marketing services? Try www.promokit.net

The 2001 Highland & Islands Business Awards - Technology Award Winner

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: VPN server
    ... The source of the intrusion might be earlier in the logs [or it ... needed to download the sfind program from an FTP server under their control ... >> hacker to get past your firewall and onto your regular network. ...
    (microsoft.public.win2000.security)
  • Re: is someone hacking me?
    ... I see similar entries in our firewall log but we do not allow forwarding to ... Also there's no FTP server running on any of our systems. ... Other stuff that files the firewall logs here are NETBIOS-NS probes. ...
    (comp.os.linux.security)
  • system32 folder
    ... Startup folder for the Default User and the Run/RunOnce ... >It only does this the first time the user logs in. ... >logs in the system32 doesnot open. ...
    (microsoft.public.win2000.termserv.apps)
  • Re: How?
    ... This is a SQL Server newsgroup. ... >Set Time1= currentrecord.time ... >>It logs the time when the user goes on the internet, ... >>the first time i have logged for them is at 8am and the last time i have ...
    (microsoft.public.sqlserver.programming)
  • Re: Lost control of server
    ... computer to store and share illegal pirated videos as an FTP server. ... you never know whether you've missed a back door that lets the hacker right ... and view the IIS logs and any firewall logs if you can. ... I also found some jackass avi files ...
    (microsoft.public.win2000.security)