[unisog] Crackers Targeting Web JetAdmin 6.5 Vulnerability
eckman at umn.edu
Fri May 14 18:03:34 GMT 2004
Just an FYI: We had a computer on campus that was broken into yesterday
via a vulnerability in HP Web JetAdmin 6.5 (default port of 8000/tcp).
The specific vulnerability is referenced at the following URL:
There is a link in that advisory to the exploit code that appears to
have been used. The vulnerability was exploited to write a x.txt file to
the root of the C: drive, and then call the Windows command line ftp
program to execute the commands listed in the x.txt file. That
downloaded the backdoor kit, which they then executed via the same Web
The backdoor kit that was downloaded was just under 1MB, and when run,
extracts several files to C:\recycler, including nc.exe (netcat),
win.exe (ServU and apparently an IRC bot), the ServU configuration files
and such. Some time afterward, r_admin was downloaded and installed to
listen on 4899/tcp.
In this case, the x.txt file and the kit (flash.exe) were left in the
root of the C: drive, they had nc.exe (netcat) binding cmd.exe to
3112/tcp, had ServU FTP server listening on 1986/tcp, and had r_admin
listening on port 4899/tcp. The FTP Server and R_admin were services
that were listed in the control panel's Services applet (the win.exe was
listed as "Serv-U FTP Server", the r_admin seemed to be the default
value, which I don't recall).
In the next hour of infection, our infected host appears to have
downloaded several other 1 MB files from various locations, apparently
as part of a speed test. However, this computer was not yet prepped for
Warez, so the motive is still unclear. Also, the cmd.exe backdoor on
port 3112/tcp was access one time early in the exploitation, but does
not seem to play a key role.
Upgrading to version 7.5 of Web JetAdmin reportedly fixes the flaw that
was exploited. The home page for this product is:
Anyway, I thought I would share this information. It's important to
remember that not only the high-profile stuff like MS04-011 is being
exploited. Any low-hanging fruit is game.
 - The FTP Server had only one username, "admin" whose home dir was
C:\. There was no other directory structure found, specifically none
with aux1, nul, com, etc. as part of the directory name. This of course
does not count out Warez; I'm just pointing out that it doesn't point at
Warez. I ran the flash.exe in a test environment, and it joined a
channel on irc.after-all.org. The channel was silent except for bots
joining, quitting and phoning home that they successfully uploaded a
file, stuff like that. So, the channel itself didn't appear to be Warez,
but there are other channels on the server that are, and these *could*
eventually be migrated over.
OIT Security and Assurance
University of Minnesota
More information about the unisog