* Eric Robinson sez:
: The hack uses an eight-month old exploit that allows an attacker to submit
... that could have been used differently. What about a +c
ftp://my.trojan.com?
: URLs to an IIS server containing double-byte (Unicode) characters. By
: substituting the string "%0c%0a" (not sure if those are the right hex codes,
: but you get the idea) for "\" the, the attacker can cause IIS to traverse
: folders to which a remote user would not ordinarily have access and execute
: commands in the context of the IUSR_<machine_name> account.
This one, in particular, used the well known /script exploit. Some
companies I know got hit pretty badly.
: The attack did not, as one user has suggested, "muck around with some DLL
: files."
But they could have. Maybe not this one - this guy/group WANTED
attention. Others rather 0wn and stay silent. Instead of a simple
copy/echo, the attacker (someone else) could have installed some rather
nasty stuff or simply downloaded and executed a dnetc-trojan. You never
know, that's what post mortem was made for, right?
: Yes, a person who uses the folder traversal exploit COULD install a Trojan,
: but the "fuck usa" attack did not do this. It was totally automated and
: simply defaced a few thousand web pages.
It was a good indicator that one was running a vulnerable version of IIS
- before that day and maybe 2-3 more days afterwards. Some victims just
replaced default.* and lived on - basically the best of all invitations
for the next cracker kiddie to do something nasty.
: Members of this list who suggest that you should reformat and reinstall
: after a hacking inicdent are only partially correct. Starting with a clean
Well, they are incorrect - basically. But assuming the website owner
knows nothing about his system, has no clue how to detect incorrect
system activities, has no means of comparing files with a clean snapshot
and is generally security inadept (the fact that he got hit by a 8
month old problem kinda suggests part of that), a clean install might be
a convenient answer to the attack, maybe followed by a) hiring Someone
Who Knows[tm] and b) starting to care.
: slate is the only way to be sure you have eliminated your problem if you
: don't already know the exact nature of the attack. In this case, we do. :-)
He knows basically three things:
a) he got hit (obvious)
b) he could have been hit before (maybe)
c) he's not that security savvy (obvious)
a and c make a good case for the reinstallation scenario, right?
PGP signature
