On Tuesday 26 November 2002 03:03 pm, Mark G. Spencer wrote: > I just ran Nessus 1.2.6 (partial scan) against a local Windows 2000 DNS > Server and Nessus reported (in addition to all kinds of services > running): > > "Possible Backdoors: > iiscrack.dll - /scripts/httpodbc.dll > iise.exe - /scripts/idq.dll" > > Could someone tell me more about the test that determines these files > to potentially be backdoors? I did some quick searching on Google and > it looks like this could indicate the presence of (in Symantec > terminology) W32.Nimda.E@mm. I'm curious how Nessus correlates > httpodbc.dll to iiscrack.dll.
You definately want to look into it. The "iiscrack.dll" exploit needs to be renamed to one of about a dozen different "trusted" DLL names to work correctly, a number of worms/scripts rename this file to httpodbc.dll. The "iise.exe" exploit is simimilar, but the check for it has to use a HEAD request instead of a GET due to the way the program runs. The server-side to iise.exe is usually named "idq.dll", but can also be any of the same dozen names. Both crackers and automated worms use this exploit to gain SYSTEM access through IIS, that level of access is needed to modify user user accounts or effectively backdoor the system. For more information about the exploit or the vulnerability, check out the following url's: http://lists.jammed.com/pen-test/2001/08/0115.html I am the author of the original exploit, unfortunately it was used en-masse by a number of automated worms and has since turned up just about everywhere :( The server in question is undoubtedly compromised, try browsing to /scripts/httpodbc.dll, it will allow you to run commands as the SYSTEM user account if a certain patch wasn't applied. The "HEAD" request checks are liable to false positive in its current version, the entire plugin was overhauled yesterday and a new version should be available soon which has a ton of new signatures. -HD - [EMAIL PROTECTED]: general discussions about Nessus. * To unsubscribe, send a mail to [EMAIL PROTECTED] with "unsubscribe nessus" in the body.
