RE: New scanner?

From: newsletters (listserv@citadelconsulting.net)
Date: 11/22/02

  • Next message: Emeric Miszti: "Re: Proxy server hit... Any ideas?"
    From: "newsletters" <listserv@citadelconsulting.net>
    To: "'Jeremy'" <prrthd25@yahoo.com>, <incidents@securityfocus.com>
    Date: Thu, 21 Nov 2002 21:10:41 -0500
    
    

    Jeremy,

    I'm not sure if your serious or not, but this is probably the most
    common IIS exploit found. Wherever the destination address is located
    you're going to find IIS and a compromised scripts directory. The
    command (cmd.exe) interpreter has been renamed and copied to the
    c:\inetpub\scripts\root.exe and the intruder is using it to gain command
    line access to your system. This is basically the ultimate goal of a
    hacker. You need to search the system for root.exe and delete it. In
    addition you need to check and reset the permissions for C:\inetpub\*.
    At a minimum change the scripts directory to read only. Do a search on
    bugtraq for codered II. That should give you a more detailed action
    plan. My opinion would be to rebuild the box with all current patches
    and service packs.

    Good Luck!

    CB

    -----Original Message-----
    From: Jeremy [mailto:prrthd25@yahoo.com]
    Sent: Wednesday, November 20, 2002 10:30 AM
    To: incidents@securityfocus.com
    Subject: New scanner?

    Hello all,

      My snort box picked this up yesterday fron two
    different source ip's and I was wondering if anyone
    had seen this pattern before. Both times snort logged
    718 alerts consisting of the following:

    1 instances of WEB-IIS multiple decode attempt
    1 instances of FTP invalid MODE
    1 instances of WEB-MISC http directory traversal
    2 instances of WEB-IIS scripts access
    2 instances of (spp_portscan2) Portscan detected
    3 instances of WEB-IIS Unicode2.pl script (File
    permission canonicalization)
    6 instances of POLICY FTP anonymous login attempt
    17 instances of WEB-IIS CodeRed v2 root.exe access
    685 instances of WEB-IIS cmd.exe access

    This may have been around awhile but its the first
    time I've seen it, so I figured I would ask. If this
    is something new I do have packets captures from all
    the alerts.

    Thanks,
      Jeremy

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Web Hosting - Let the expert host your site
    http://webhosting.yahoo.com

    ------------------------------------------------------------------------

    ----
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com