Re: MS Vulnerability? I was hacked!

From: Karl Levinson [x y] mvp (jamescagney90210@excite.com)
Date: 01/12/03

• Next message: Karl Levinson [x y] mvp: "Re: You are not authorized to view this page"
• Previous message: Karl Levinson [x y] mvp: "Re: Windows 2000 IIS App Mappings"
• In reply to: BobOki: "Re: MS Vulnerability? I was hacked!"
• Next in thread: Leythos: "Re: MS Vulnerability? I was hacked!"
• Reply:(deleted message) Leythos: "Re: MS Vulnerability? I was hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Karl Levinson [x y] mvp" <jamescagney90210@excite.com>
Date: Sun, 12 Jan 2003 09:19:43 -0500

I wish you had mentioned that in your original post, that would have made my
answer very different and more correct.

First, to determine how you were hacked, look for clues in this way:

http://securityadmin.info/faq.htm#hacked

It's a good idea to determine how the hack occurred so you can close that
hole and check other machines for vulnerabilities.

I doubt this is a new vulnerability, just an old one you neglected to close.
It could also have come through NetBIOS / windows networking if you don't
have a firewall. Things you should do to secure your computers AFTER you
are finished investigating are at:

http://securityadmin.info/faq.htm#harden
http://securityadmin.info/faq.htm#auditing
[ and also http://securityadmin.info/faq.htm#re-secure if you've been
hacked]

If the hack went through IIS, I would expect it to be logged there. If it's
not logged, I suspect it went through another route. I doubt DNS server was
used to get your computer to trust the other computer, since Windows
typically does not give much trust to computers based on DNS names. If you
are not up to date on your security patches from Microsoft, it could I
suppose be an unpatched buffer overflow in DNS or another service that
permitted running remote code.

If you have a firewall or upstream router, you should check those logs. If
you don't have a firewall or aren't saving your logs, well, that's a big
mistake. Firewalls are free. Windows doesn't yet natively capture source
IP addresses in most of its logs, so without a log from a third party
firewall or router, you'll probably never find out who did this.

http://securityadmin.info/faq.htm#firewall

I would check all your logs as you are doing now, including trying to look
for log files you might not be aware of having.

"BobOki" <boboki@boboki.com> wrote in message
news:3e9301c2b9d2$cfe2c050$8ef82ecf@TK2MSFTNGXA04...
Yeah, thats what I thought too... but, then again, all my
index.htm/.html.asp and default.htm/.html.asp were changed
to new files stating that "F3NP OWNS YOU! f3np@iname.com"
I was on very late last night, and went to bed shortly
before this. I was the lat person to access my logs before
this, and the first person to access them afterwards. This
is the only thing that was logged, and its a hack attempt.
I am assuming that whatever they did, did not get logged.
This is why I am thinking it is something new like
variation of code red that affects IIS somehow. I checked
my logs for FTP. They showed now attempts at all on it.
Most other ports are closed. My mail server is clean...
So that leads me to belive its something in IIS.

Doing a Yahoo search for F3NP brought up a good deal of
webpages hacked by the same person/group. So definatly
take this as a warning too all... They ARE activly hacking
right now....

I guess what I need is #1. make people aware that there IS
a vulerability right now.. though what it is I cannot say,
and also to get some information on how I can dig deeper
to find what they could have done, how they got in, etc
etc.

>-----Original Message-----
>I think it's inconclusive to say whether you've been
hacked. From this log
>it looks like nothing was done, leading me to believe
that whatever it was
>gave up after having no success.
>
>Additionally, code 404, 403, 40x etc. is so far always a
code of no success.
>500 is usually no success but not always. 200 is usually
success but not
>always. For more information on this, see:
>
>http://securityadmin.info/faq.htm#iislogs2
>http://securityadmin.info/faq.htm#iislogs
>
>This looks like a worm like Nimda or Code Red. There's
nothing you really
>can or should do to stop these from hitting your server,
you just need to be
>sure your server is hardened against them, which it seems
you are. Everyone
>gets tons of these attempts in their IIS logs.
>
>Having said that, you should really consider running
URLScan which is free
>from Microsoft, comes with IISLockdown. The 500 error
codes also indicate
>you may not have followed the IIS hardening checklists
out there, starting
>with the ones from www.microsoft.com/technet/security
>
>Other things you should consider doing to harden your
system are at:
>
>http://securityadmin.info/faq.htm#harden
>
>PS this log does not prove that your server has not been
hacked ever, just
>that it does not appear to have been hacked today via
IIS. If you want to
>look for signs of a successful hacking, you can try this:
>
>http://securityadmin.info/faq.htm#hacked
>http://securityadmin.info/faq.htm#re-secure
>
>
>"BobOki" <boboki@boboki.com> wrote in message
>news:314f01c2b9c6$9dd684e0$d3f82ecf@TK2MSFTNGXA10...
>I got hacked last night, seems they were using the same
>old same old hack that Microsoft said they patched in the
>last service pack! (windows 2000 server SP3)
>
>heres the log,
>
>2003-01-11 21:47:14 24-240-234-157.charter.com -
>GET /scripts/root.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:14 24.240.234.157 - GET /MSADC/root.exe
>403 4227 HTTP/1.0 - -
>2003-01-11 21:47:16 24-240-234-157.charter.com -
>GET /c/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:16 24-240-234-157.charter.com -
>GET /d/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /_vti_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe 500 0 HTTP/1.0 - -
>2003-01-11 21:47:17 24-240-234-157.charter.com -
>GET /_mem_bin/..%5c../..%5c../..%
>5c../winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:19 24.240.234.157 - GET /msadc/..%
5c../..%
>5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 403
>4227 HTTP/1.0 - -
>2003-01-11 21:47:19 24-240-234-157.charter.com -
>GET /scripts/..Á../winnt/system32/cmd.exe 500 0
HTTP/1.0 -
> -
>2003-01-11 21:47:20 24-240-234-157.charter.com -
>GET /scripts/winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:21 24-240-234-157.charter.com -
>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:21 24-240-234-157.charter.com -
>GET /winnt/system32/cmd.exe 404 5852 HTTP/1.0 - -
>2003-01-11 21:47:22 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:22 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:23 24-240-234-157.charter.com -
>GET /scripts/..%5c../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>2003-01-11 21:47:23 24-240-234-157.charter.com -
>GET /scripts/..%2f../winnt/system32/cmd.exe 500 0
>HTTP/1.0 - -
>
>Thats the last I have on there until I accessed it this
>morning, having been hacked by F3PN.
>Anyone have any insight on this?
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.435 / Virus Database: 244 - Release Date:
12/30/2002
>
>
>.
>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.443 / Virus Database: 248 - Release Date: 1/10/2003

---

• Next message: Karl Levinson [x y] mvp: "Re: You are not authorized to view this page"
• Previous message: Karl Levinson [x y] mvp: "Re: Windows 2000 IIS App Mappings"
• In reply to: BobOki: "Re: MS Vulnerability? I was hacked!"
• Next in thread: Leythos: "Re: MS Vulnerability? I was hacked!"
• Reply:(deleted message) Leythos: "Re: MS Vulnerability? I was hacked!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: MS Vulnerability? I was hacked! ... I was the lat person to access my logs before ... My mail server is clean... ... So that leads me to belive its something in IIS. ... >gave up after having no success. ... (microsoft.public.inetserver.iis.security) RE: Monitoring and Reporting Errors ... I keep trying to send you the logs but i get an error message back from the ... If you change that to local system account, you will get Server ... Open IIS snap-in. ... Click Directory Security tab. ... (microsoft.public.windows.server.sbs) Re: MS Vulnerability? I was hacked! ... The DNS server encountered an invalid domain name offset ... can I pull logs of what they did? ... >So that leads me to belive its something in IIS. ... >>gave up after having no success. ... (microsoft.public.inetserver.iis.security) Re: Security Problem... ... Is there anything in your IIS web server ... What are you seeing in your firewall logs that is INCOMING to your ... A very typical scenario is for a hacker to use an IIS web service ... > I know those are the tools that would be used for making an FTP server. ... (microsoft.public.security) Re: MS Vulnerability? I was hacked! ... from your Windows event logs and IIS logs unless you have previously taken ... variation of code red that affects IIS somehow. ... My mail server is clean... ... >gave up after having no success. ... (microsoft.public.inetserver.iis.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)