Win2K Advaned Server compromise report available

From: Curt Wilson (netw3@premis.lod.com)
Date: 09/17/02


Date: 17 Sep 2002 15:24:23 -0000
From: Curt Wilson <netw3@premis.lod.com>
To: incidents@securityfocus.com


('binary' encoding is not supported, stored as-is)

Several weeks ago I left a msg about a compromise of a Win2K Advanced
Server system. The system was attacked by Chinese (and other) attackers.
I've written up a document on this incident and include links to some of
the tools that were found on the server.

The documents can be found at the Netw3 Security Research web site at
http://www.netw3.com. The most recent HTML document in the reading room is
what you will want to view, as it has links to the attacker tools that
were found, or you can view the document directly at
http://www.netw3.com/documents/win2k_attack_chinese.htm

PipeCmdSrv.exe was found on the system, which is the server side component
of PipeCmd.exe, which runs with NtCmd.exe on the attacking client.
PipeCmd.exe comes in the Fluxay attack toolkit (which has also been called
an auto-rooter), but PipeCmdSrv.exe does not appear to be publicly
available from what I have seen so far. A translated link from a Chinese
hacker web site is included in the report that discusses the use of the
PipeCmd.exe and PipeCmdSrv.exe tools. I was somewhat suprised to find no
reference to these tools on the usual array of security sites
(packetstorm, etc.) but I suppose one can't account for everything out
there.

Antivirus companies and other malware detectors may want to obtain the
PipeCmd tools from the Netw3.com site and generate product signatures.

Curt Wilson
Netw3 Security Research
netw3@netw3.com (my normal mailbox at premis.lod.com appears to be down)

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • Re: Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • Re: Web Services
    ... >Web Server Software is Microsoft-IIS/5.0 ... >should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • RE: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>be removed as it could allow remote attackers to run commands on the web ...
    (Focus-Microsoft)
  • Re: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>should be removed as it could allow remote attackers to run commands on the ... >>web server remotely ...
    (Focus-Microsoft)