Re: new attack tool combining SMB and WebDAV?

From: Bill McCarty (bmccarty@apu.edu)
Date: 04/01/03

Next message: Jerry Shenk: "RE: POP3 logon attempts"

Previous message: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 31 Mar 2003 14:25:28 -0800
From: Bill McCarty <bmccarty@apu.edu>
To: Matt Power <mhpower@bos.bindview.com>, incidents@securityfocus.com

Hi Matt and all,

One of my Windows honeypots has logged this attack. I see both the ICMP
datagrams having lower case letters reported by Matt Power and the upper
case Es reported by James Slora. The tool succeeded in compromising the
honeypot, presumably via the honeypot's weak (actually null) admin
password. However, the attack might instead have capitalized on some IIS
vulnerability, such as Web-DAV. I haven't found time to analyze the traffic
or host in detail.

The attacker established a ServU FTP server running on port 61337,
identifying himself by the user ID xtahc. He provided the server with the
following banner (please pardon the anticipated line wraps):

mkd 10
mkd 11
Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 12 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą! [ Inf-alliance ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 13
Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 14 !Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą! [ Games ]
Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 15 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą [ Movies ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 16 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą! [ Appz ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 17 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą [ MP3's ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 18
Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 19 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą! [ Filled by ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 20 Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą [ Š2003 Physix Productions ]
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 21
Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
!Ą!Ą!Ą!Ą!Ą!Ą!Ą!Ą
mkd 22

Other information identified the compromised server as belonging to the
OutpostFXP Pubstro community. I've been unable to learn more about that
community.

I can dig up other information if doing so would be helpful. But, I'm
pretty jammed just now.

Cheers,

---------------------------------------------------
Bill McCarty

----------------------------------------------------------------------------
Powerful Anti-Spam Management and More...
SurfControl E-mail Filter puts the brakes on spam,
viruses and malicious code. Safeguard your business
critical communications. Download a free 30-day trial:
http://www.securityfocus.com/SurfControl-incidents

Next message: Jerry Shenk: "RE: POP3 logon attempts"

Previous message: James C Slora Jr: "RE: new attack tool combining SMB and WebDAV?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]