[Dshield] Something interesting I found in someone elses code capture...

Josh Ballard jballard at cloud.cc.ks.us
Sun Aug 5 19:29:54 GMT 2001


Well, I have found something quite interesting in a capture of the CodeRedII
code I found at http://www.unixwiz.net/techtips/CodeRedII.txt.  I was
looking though the code, and I noticed a section that looked like this:
	SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots
/Scripts    /MSADC  /C  /D  c:\,,217    d:\,,217
Now, this first thing I saw here was a modification of the registry entries
for the virtual roots on the webpage.  I don't have a theory as to why it is
here, but I have confirmed that the v2 shares the C and D drives (if
existing) out to the /C and /D virtual roots of the webpage.  For example,
if box 127.0.0.1 was compromised, you could see the entire contents of the C
drive by going to 127.0.0.1/C/.  The only thing that I have noticed is that
the directory listing is denied, but if you know the exact file name you
want, you can execute a file or download a file off the host from anywhere
on their hard drive.    I don't really understand what the author is wanting
to do with this, but I know it's not good.  I was able to download a file
off the hard drive of the infected machine, although I never viewed it, I
know this isn't good.  If anyone else has any theories, I would love to hear
them.  The only thought I had was that these modifications it makes to the
virtual roots as far as sharing the drive and adding the root.exe file into
the scripts is that this is maybe a part of the authors change so that he
can cordinate the DDoS to somewhere else besides whitehouse.gov as I think
that this could be potential...  Any other ideas would be great..

Josh Ballard
oofle.com Linux Firewall Center
http://www.oofle.com/
jballard at cloud.cc.ks.us




More information about the list mailing list