The latest Hack 1

[Zelandakh]

Anyone suffered the chinese hack aimed at US sites where your index page is replaced with a black screen and some rather unpleasant text?

My IIS got hit yesterday (and I'm UK based with no company links to the US).

Anyone know how I can plug the hole they used and if it caused any more problems than just the index.htm page?

 

[Ghost]

Yes, we had the same hack. Files were uploaded to about 4 different areas -- however because we run virtuals they never found the "right" spots.

Our security consultant tidied things up and we shored up our security with some additional downloads from Microsoft. Sorry I don't know exactly what or where.

I'll have them post in here if I can.

What idiots.

Ghost

 

[chiph]

Zelandakh -

I haven't had that, but I did notice the following in my log:
[tt]
2001-05-15 23:56:53 202.96.206.75 - 192.168.0.3 80 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir 404 -
[/tt]
It looks as if they were trying to run a command prompt by sending some junk characters.

After seeing this, my decision to put the site on a different drive from the OS was a good one

Chip H.

 

[Guest_imported]

For past one month the hacker is doing the same stuff even for our website. It is the third time he has done by changing only the index page. I changed all the users profiles etc even then he is able to hack our website. Can any one help me out. What to do?

Brainys

 

[chiph]

Brainys -

Have you got the latest patches and hotfixes on your server?

Chip H.

 

[cckrocks]

Look for root.exe in your scripts folder. It is the program that they used to upload the files and put them in the directories. If you don't delete that they could gain access back into your system even if you patch it. Delete that and delete all the index.htm, default.htm, index.asp, and default.asp files that they uploaded and you will be clear. Then update with SP2 if you are running WIN2K and you will be safe (for now).

 

[Zelandakh]

What if I'm still running NT4?

 

[cckrocks]

Same thing applies, just get all the updates that are available, and subscribe to the Microsoft Security Bulletin

http://www.microsoft.com/technet/security/notify.asp

Just make sure to remove the root.exe file so that the attack can't easily happen again.

 

[dpellegrini]

Thanks for the info. I found the attack because I monitor BlackIce IDS daily. I'm able to block the source address with BlackIce, and the attack did not occur again, however I didn't know about the root.exe file. It looks like it's just a dos shell launcher of some kind. I will have to keep an eye on the forum more often.
Thanks Again.
Domenick Pellegrini

Domenick Pellegrini
dpellegrini@yahoo.com

 

[Drtheater]

a lot of pachs to iis together

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=29764

 

[veritas7]

One of our dev servers got hit with that too 2 weeks ago. It exploits the web server folder transveral vulnerability. Use the latest MS Ipsec patch and all is well:

http://www.microsoft.com/ntserver/nts/downloads/critical/q293826/default.asp

 

[Cranberry]

Hi all.

You also may want to have a look at securing your servers based on some recommended (and unrecommended procedures It will still not block attacks on port 80 - on which you serve http, but it will minimise many of the vulnerabilities iis4 suffers from.

have a look at these links:

http://www.microsoft.com/technet/security/iischk.asp

http://packetderm.cotse.com/mailinglists/ntbugtraq/2000/Oct/0029.html

http://www.shebeen.com/iis4_nt4sec.htm

You can also use a snort which is freely distributed intrusion detection software available at

http://www.snort.org

 

[Zelandakh]

Not sure if it is related to the hack or the reinstallation of the service pack, but following this I now get

"Your current password is about to expire in 0 days. To change your password, go to the Options page after you login"

when you connect to Outlook Web Access. This happens for all users. Why?

Passwords policy is to never expire.

 

[Guest_imported]

Guys,

Change permission in cmd.exe, root.exe (if any) to administrator permission only.

This will solve some of it. I hope

Cheers

 

[Guest_imported]

I, too, was hit by this hack. After much searching and a lot cursing I narrowed it down to one thing: the ftp Server. By default it is turned on and allows anonymous access. Turn it off if it's on. I turned mine of and applied the security patches found on the MS web site for IIS 4.0 and have been OK since. Relace your default.htm and get root.exe out of there and you should be OK. Personally I was just runing OWA and I uninstalled IIS and reinstalled it with OWA and applied the security updates and stopped all FTP services. Been OK since. From what I have heard it is not a very malicous attack, targeting machines with this vulnerabilty and moving on. FWIW and YMMV.

Alex

 

[quackers]

This is a well known hack and can be carried out through port 80, as a default IIS allows allkinds of file extensions
.htr .hta etc etc now it doesnt automatically chack that the file with that extension exists, and so it is quite easy
to cause a buffer overflow and upload netcat or root .exe
to solve them reuploading this file go to iis default properties, home directory, configuration and all the file extensions are listed make sure in the properties tab that check this file exists is ticked. also makesure the msadc directery and in particular showcode.asp are disabled, just blocking the address will not work either becaus the atack is carried out through port 80 and the attacker only has to go through a proxy to bypass that. if anyone wants more info or links on this e-mail me at andymcqueen@mailcity.com