Do not--repeat, DO NOT reformat your hard drive and reinstall your OS. Some
users of this list have suggested this course primarily bacuse they do not
understand the nature of the attack that placed the "fuck USA Government"
web page on your server.
The hack uses an eight-month old exploit that allows an attacker to submit
URLs to an IIS server containing double-byte (Unicode) characters. By
substituting the string "%0c%0a" (not sure if those are the right hex codes,
but you get the idea) for "\" the, the attacker can cause IIS to traverse
folders to which a remote user would not ordinarily have access and execute
commands in the context of the IUSR_<machine_name> account.
This particular attack performed exactly and *only* the following operations
on your server:
1. Copy cmd.exe to root.exe.
2. Create the files default.htm, default.asp, index.htm and index.asp. All
four files have the "fuck USA" message because the automated attack could
not be sure which you were using for your default page.
Check your web log file and you'll see the actual URLs that were submitted
to your server by the attack script. Look for URLs containing cmd.exe or
root.exe.
The attack did not, as one user has suggested, "muck around with some DLL
files."
It is important to realize that root.exe is nothing more than a copy of
cmd.exe. It is not a remote access Trojan, back-door, sniffer, key logger,
or anything else dangerous. Just delete the damn file and install the latest
cumulative security patch from http://www.microsoft.com/security and you'll
be fine. Also, it wouldn't hurt to simply stop using the scripts directory
(since most IIS applications don't utilize it) and set permissions on your
web folders to prohibit write access to the IUSR_<machine_name> account.
Yes, a person who uses the folder traversal exploit COULD install a Trojan,
but the "fuck usa" attack did not do this. It was totally automated and
simply defaced a few thousand web pages.
Members of this list who suggest that you should reformat and reinstall
after a hacking inicdent are only partially correct. Starting with a clean
slate is the only way to be sure you have eliminated your problem if you
don't already know the exact nature of the attack. In this case, we do. :-)
--
Eric Robinson
Network Architect
edurus, Inc.
www.edurus.com
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Nontakorn
Sent: Friday, May 25, 2001 4:16 AM
To: Ng, Kenneth (US); 'Ron DuFresne'; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: f**k USA government f**k poizonbox
Meaning.....scratch from the OS onwards?
Sorry....I was badly hit by this thing and need a solution......thanks,
group!!
Sincerely yours,
Nontakorn Roongphornchai (Jo+)
Thaifin.com
Tel: 679-5616, 679-5020 x 108
----- Original Message -----
From: "Ng, Kenneth (US)" <[EMAIL PROTECTED]>
To: "'Ron DuFresne'" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Friday, May 18, 2001 9:06 PM
Subject: RE: GUI client over untrusted network
> Emphasize INSTALL FROM SCRATCH, NOT FROM BACKUP. As well as the home
page,
> they muck around with some DLL files. I'm not sure what they did, but it
> was very suspicious.
>
> -----Original Message-----
> From: Ron DuFresne [mailto:[EMAIL PROTECTED]]
> Sent: Friday, May 18, 2001 8:35 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: GUI client over untrusted network
>
>
>
> The solution is to take the machine off the net, and reinstall from
> scratch, secure it prperly this time, then reconnect it.
>
> Thanks,
>
> Ron DuFresne
>
> On Fri, 18 May 2001 [EMAIL PROTECTED] wrote:
>
> >
> > Hi,
> >
> > One of our servers has been hacked. When a user uses the proxy, the
> > statement "fuck USA government fuck poizonbox" appears. Anybody who
> > experinced this problem or who knows the solution to this.
> >
> > thanks
> > -
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> "Cutting the space budget really restores my faith in humanity. It
> eliminates dreams, goals, and ideals and lets us get straight to the
> business of hate, debauchery, and self-annihilation." -- Johnny Hart
> ***testing, only testing, and damn good at it too!***
>
> OK, so you're a Ph.D. Just don't touch anything.
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
****************************************************************************
*
> The information in this email is confidential and may be legally
privileged.
> It is intended solely for the addressee. Access to this email by anyone
else
> is unauthorized.
>
> If you are not the intended recipient, any disclosure, copying,
distribution
> or any action taken or omitted to be taken in reliance on it, is
prohibited
> and may be unlawful. When addressed to our clients any opinions or advice
> contained in this email are subject to the terms and conditions expressed
in
> the governing KPMG client engagement letter.
>
****************************************************************************
*
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
