Re: MS Vulnerability? I was hacked!

From: BobOki (boboki@boboki.com)
Date: 01/12/03 

From: "BobOki" <boboki@boboki.com>
Date: Sat, 11 Jan 2003 16:37:40 -0800

Yeah, thats what I thought too... but, then again, all my
index.htm/.html.asp and default.htm/.html.asp were changed
to new files stating that "F3NP OWNS YOU! f3np@iname.com"
I was on very late last night, and went to bed shortly
before this. I was the lat person to access my logs before
this, and the first person to access them afterwards. This
is the only thing that was logged, and its a hack attempt.
I am assuming that whatever they did, did not get logged.
This is why I am thinking it is something new like
variation of code red that affects IIS somehow. I checked
my logs for FTP. They showed now attempts at all on it.
Most other ports are closed. My mail server is clean...
So that leads me to belive its something in IIS.

Doing a Yahoo search for F3NP brought up a good deal of
webpages hacked by the same person/group. So definatly
take this as a warning too all... They ARE activly hacking
right now....

I guess what I need is #1. make people aware that there IS
a vulerability right now.. though what it is I cannot say,
and also to get some information on how I can dig deeper
to find what they could have done, how they got in, etc
etc.

>-----Original Message-----
>I think it's inconclusive to say whether you've been
hacked. From this log
>it looks like nothing was done, leading me to believe
that whatever it was
>gave up after having no success.
>
>Additionally, code 404, 403, 40x etc. is so far always a
code of no success.
>500 is usually no success but not always. 200 is usually
success but not
>always. For more information on this, see:
>
>http://securityadmin.info/faq.htm#iislogs2
>http://securityadmin.info/faq.htm#iislogs
>
>This looks like a worm like Nimda or Code Red. There's
nothing you really
>can or should do to stop these from hitting your server,
you just need to be
>sure your server is hardened against them, which it seems
you are. Everyone
>gets tons of these attempts in their IIS logs.
>
>Having said that, you should really consider running
URLScan which is free
>from Microsoft, comes with IISLockdown. The 500 error
codes also indicate
>you may not have followed the IIS hardening checklists
out there, starting
>with the ones from www.microsoft.com/technet/security
>
>Other things you should consider doing to harden your
system are at:
>
>http://securityadmin.info/faq.htm#harden
>
>PS this log does not prove that your server has not been
hacked ever, just
>that it does not appear to have been hacked today via
IIS. If you want to
>look for signs of a successful hacking, you can try this:
>
>http://securityadmin.info/faq.htm#hacked
>http://securityadmin.info/faq.htm#re-secure
>
>
>"BobOki" <boboki@boboki.com> wrote in message
>news:314f01c2b9c6$9dd684e0$d3f82ecf@TK2MSFTNGXA10...
>I got hacked last night, seems they were using the same
>old same old hack that Microsoft said they patched in the
>last service pack! (windows 2000 server SP3)
>
>heres the log,
>
>2003-01-11 21:47:14 24-240-234-157.charter.com -
>GET /scripts/root.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:14 24.240.234.157 - GET /MSADC/root.exe
>403 4227 HTTP/1.0 - -
>2003-01-11 21:47:16 24-240-234-157.charter.com -
>GET /c/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:16 24-240-234-157.charter.com -
>GET /d/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /_vti_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe 500 0 HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /_mem_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:19 24.240.234.157 - GET /msadc/..%
5c../..%
>5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 403
>4227 HTTP/1.0 - -
>2003-01-11 21:47:19 24-240-234-157.charter.com -
>GET /scripts/..Á../winnt/system32/cmd.exe 500 0
HTTP/1.0 -
> -
>2003-01-11 21:47:20 24-240-234-157.charter.com -
>GET /scripts/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:21 24-240-234-157.charter.com -
>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:21 24-240-234-157.charter.com -
>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:22 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:22 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:23 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:23 24-240-234-157.charter.com -
>GET /scripts/..%2f../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>
>Thats the last I have on there until I accessed it this
>morning, having been hacked by F3PN.
>Anyone have any insight on this?
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.435 / Virus Database: 244 - Release Date:
12/30/2002
>
>
>.
>

Relevant Pages

  • RE: Monitoring and Reporting Errors
    ... I keep trying to send you the logs but i get an error message back from the ... If you change that to local system account, you will get Server ... Open IIS snap-in. ... Click Directory Security tab. ...
    (microsoft.public.windows.server.sbs)
  • Re: Page Cannot Be Displayed Errors
    ... not IIS, but something else. ... >>> directly on the web server, ... >>>>> I have done some additional checking in the logs. ... >>>>> either the request isn't even getting to IIS at this point, ...
    (microsoft.public.inetserver.iis)
  • Re: MS Vulnerability? I was hacked!
    ... The DNS server encountered an invalid domain name offset ... can I pull logs of what they did? ... >So that leads me to belive its something in IIS. ... >>gave up after having no success. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot open the /connectcomputer site
    ... performancee logs and alerts service. ... There is no connectcomputer site in IIS. ... what errors are in the event logs on the server? ...
    (microsoft.public.windows.server.sbs)
  • RE: Infected with code red II ?
    ... The 2xx series of codes are all success codes of ... Restart IIS. ... The following is a sample from my IIS 4.0 server (I get the same activity on ... infection is cleaned up and this is just a probe? ...
    (Focus-Microsoft)