Re: new attack tool combining SMB and WebDAV?

From: Bill McCarty (bmccarty@apu.edu)
Date: 04/01/03

  • Next message: Jerry Shenk: "RE: POP3 logon attempts"
    Date: Mon, 31 Mar 2003 14:25:28 -0800
    From: Bill McCarty <bmccarty@apu.edu>
    To: Matt Power <mhpower@bos.bindview.com>, incidents@securityfocus.com
    
    

    Hi Matt and all,

    One of my Windows honeypots has logged this attack. I see both the ICMP
    datagrams having lower case letters reported by Matt Power and the upper
    case Es reported by James Slora. The tool succeeded in compromising the
    honeypot, presumably via the honeypot's weak (actually null) admin
    password. However, the attack might instead have capitalized on some IIS
    vulnerability, such as Web-DAV. I haven't found time to analyze the traffic
    or host in detail.

    The attacker established a ServU FTP server running on port 61337,
    identifying himself by the user ID xtahc. He provided the server with the
    following banner (please pardon the anticipated line wraps):

    mkd 10
    mkd 11
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!
    mkd 12 !!!!!!!!!!!! [ Inf-alliance ]
    !!!!!!!!!!!!!
    mkd 13
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!
    mkd 14 !!!!!!!!!!!!!!!!!! [ Games ]
    !!!!!!!!!!!!!!!!!!!
    mkd 15 !!!!!!!!!!!!!!!!! [ Movies ]
    !!!!!!!!!!!!!!!!!!!
    mkd 16 !!!!!!!!!!!!!!!!!! [ Appz ]
    !!!!!!!!!!!!!!!!!!!!
    mkd 17 !!!!!!!!!!!!!!!!! [ MP3's ]
    !!!!!!!!!!!!!!!!!!!!
    mkd 18
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!
    mkd 19 !!!!!!!!!!!! [ Filled by ]
    !!!!!!!!!!!!
    mkd 20 !!!!!!!!!! [ 2003 Physix Productions ]
    !!!!!!!!!!!
    mkd 21
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !!!!!!!!
    mkd 22

    Other information identified the compromised server as belonging to the
    OutpostFXP Pubstro community. I've been unable to learn more about that
    community.

    I can dig up other information if doing so would be helpful. But, I'm
    pretty jammed just now.

    Cheers,

    ---------------------------------------------------
    Bill McCarty

    ----------------------------------------------------------------------------
    Powerful Anti-Spam Management and More...
    SurfControl E-mail Filter puts the brakes on spam,
    viruses and malicious code. Safeguard your business
    critical communications. Download a free 30-day trial:
    http://www.securityfocus.com/SurfControl-incidents


  • Next message: Jerry Shenk: "RE: POP3 logon attempts"