RE: Patched IIS/frontpage host compromised 7-1-2003

From: Dowling, Gabrielle (dowlingg_at_sullcrom.com)
Date: 07/16/03

  • Next message: Harlan Carvey: "re: Patched IIS/frontpage host compromised 7-1-2003"
    Date: Wed, 16 Jul 2003 01:45:44 -0400
    To: "Johnson, April" <apjohnson@seattleschools.org>, <incidents@securityfocus.com>
    
    

    This sounds very much like an issue that was posted on FullDisclosure in in June, and for which McAfee has a description (and for which, oddly coincidentally, I had to do some research today). Do a google on mschk.exe and you may see this.

    I don't recall that this was an IIS flaw as I was looking at it from a different angle, the McAfee description should advise. Also, I suspect the fulldisclosure post was not correct with respect to the firewall and av disabling aspects.

    Then again, this may not be exactly the same issue I looked at earlier today.....

    G

     -----Original Message-----
    From: Johnson, April
    Sent: Wed Jul 16 01:24:16 2003
    To: incidents@securityfocus.com
    Subject: Patched IIS/frontpage host compromised 7-1-2003

    I'm an exceptionally unhappy admin (and perhaps a little embarassed as
    well). At this point I'm assuming it's impossible to adequately secure
    IIS server with Frontpage extensions?

    What the server had:
    -Patched to SP3 + updates (on 7/1 I hadn't fully deployed SP4 yet).
    -Frontpage Extensions
    -Visibility to the internet on ports 80 and 443
    -Oubound access on all ports
    -Norton Anti-virus with realtime protection and current definitions
    -Non-admin users denied access to system folders
    -RestrictAnonymous was set to 1
    -Indexing service was not active
    -IIS sample apps and MSADC/Scripts directories were not present
    -Parentpaths were disabled

    What the server did NOT have:
    -The POSIX subsystem was not removed
    -The IIS lockdown tool was not run

    Rootkit/compromise components I've found so far (yes, I'm about to
    format this box...)
    -a service called 'Detector' that may be a "Serv-U" service
    -a local user created named 'default' and placed in the Administrator's
    group
    -scripts found in the system32 subdirectory called script.bat and
    script80.bat
            *extracts from a bean.cab (and bean80.cab) file
            *it created mschk.dll
            *copies up files called drive.exe, drives.txt and syswdrv.dll to
    look for warez drive space
    -special subdirectories hidden in the recycler

    Hidden in the Serv-U.ini file is a registration key, and a username
    DeVilRiDer; Serv-U was configured with a "look" user, a "chameleon"
    user, and a "leech" user (not NT accounts, but within the app).

    Two TFTP files, TFTP1568, TFTP 1872.

    Other changes:
    The Telnet services was started (although not visible to the outside)

    That's about it.
    At this point, I'm now formatting the box.

    Thoughts? Shall I give up on ever making a Frontpage Server visible to
    the outside? I don't have the same level of problems on my Apache
    servers, although compromise is still possible.

    April Johnson (CISSP, CCNP, MCSE)
    apjohnson@seattleschools.org*nospam*

    "Give a kid a fish, and he eats for a day. Teach a kid to fish, and he
    eats for a lifetime."

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

    **********************************************************************
    This e-mail is sent by a law firm and contains information
    that may be privileged and confidential. If you are not the
    intended recipient, please delete the e-mail and notify us
    immediately.
    ***********************************************************************

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------


  • Next message: Harlan Carvey: "re: Patched IIS/frontpage host compromised 7-1-2003"

    Relevant Pages

    • RE: Incoming Fax error
      ... I.Verify the SMTP Virtual Server settings. ... Verify that automatic routing is enabled for email and Sharepoint. ... If the administrative groups are displayed, expand Administrative ... III.What's the version of McAfee running on the SBS server? ...
      (microsoft.public.windows.server.sbs)
    • Re: Outlook Express error when sending email
      ... >> with McAfee Antivirus and Firewall disabled. ... >> Looking on MS's Knowledge Base, the error means "0x800CCC0B BUSY Server ... >> The SMTP server was definitely correct - it was the same ISP and same ... > make a clean installation. ...
      (uk.comp.misc)
    • Re: Outlook Express error when sending email
      ... |> Are you using the SMTP server belonging to the ISP which provides the ... |>> with McAfee Antivirus and Firewall disabled. ... | it was only when I disabled McAfee's AV and firewall that Outlook Express ... |> make a clean installation. ...
      (uk.comp.misc)
    • Re: Trend - CSM
      ... I don't even like switching versions of same manufacturer - in the ... > The mcafee products I use for the same Server/Exchange Client scenario is ... >>>Server is a 2003 Server with ISA ... >>>However in the Security Dashboard under LIVE STATUS. ...
      (microsoft.public.windows.server.sbs)
    • Re: unable to send email. outlook 2002
      ... I called Charter (my ISP) yesterday. ... confirmed their server is running. ... We also checked all settings on my ... I did try disabling the firewall and McAfee too, ...
      (microsoft.public.outlook)