How to find out a new tool / exploit

Networking/Security Forums -> Exploits // System Weaknesses

Author: INFOSECNYCLocation: Earth PostPosted: Wed Oct 16, 2002 4:13 pm    Post subject: How to find out a new tool / exploit
    ----
Seem's like someone has been trying to change all the web servers Admin account passwords.

We have like 6 public webservers which someone tried to change the password on all the servers. (they failed)

I was just wondering, if only port 80 is open, How, or what "tool" are they using to attempt these password changes.

We run IIS, and we think it is locked down to our best knowledge, but how can someone try to change the account passwords, from port 80???

I know if they attempt to unicode attack the server to try and get access to the cmd.exe they will fail.

So I am baffeled to what "tool" or "exploit" there using.

Any Idea's???

Thanks in Advance!~

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Oct 16, 2002 4:25 pm    Post subject:
    ----
Have you looked in the IIS logs for anything that looks like a folder traversal or anything else vaguely suspicious?

Do you have term services or anything running?

If you PM me the IP of one of them I'll have a look.

Have you run the IIS lockdown tool and all the critical updates/SP's?

Author: INFOSECNYCLocation: Earth PostPosted: Wed Oct 16, 2002 5:12 pm    Post subject: Locked down
    ----
All patches applied, all required Asapi mappings removed, proper ACL's applied, lockdown tool installed, urlscan applied, and the box is behind a Cisco Pix.

The setup is running off a CSS box.

The master web server runs APP Center,
which has 5 child servers below it.


You got to hit the CSS Box (IP Address) inorder to hit the other 5 servers.
(Load Balancing Reasons)

-------------------------------------------

I just checked logs, everything looks fine.
No unicode attacks, folder traversal, nothing.
Only service running is IIS.
Patches are up to date.
-------------------------------------------

Too weird.

Author: ShaolinTigerLocation: Kuala Lumpur, Malaysia PostPosted: Wed Oct 16, 2002 5:14 pm    Post subject:
    ----
Then how do you know someone tried to change the passwords?

From event logs?

Maybe it was someone on the inside..

Best thing you can do is run some logging tools (packet sniffer, firewall access logs etc) and wait for this to happen again, then analyse the data from the time matched to the event log (if this is where you're getting the info from).

Other than that, weird indeed!

Author: b4rtm4nLocation: Bi Mon Sci Fi Con PostPosted: Wed Oct 16, 2002 5:36 pm    Post subject:
    ----
Looks a little like Code-Red scanning the servers.

Author: INFOSECNYCLocation: Earth PostPosted: Wed Oct 16, 2002 5:39 pm    Post subject: event logs
    ----
YEP.

By the event logs.

-
Im defintly thinking it was someone from the inside.
-

Author: INFOSECNYCLocation: Earth PostPosted: Wed Oct 16, 2002 5:40 pm    Post subject: No b4rtm4n..
    ----
Its not code red.

I would of saw the unicode in the logs.

Author: Jason PostPosted: Wed Oct 16, 2002 9:13 pm    Post subject:
    ----
can you paste some of the event log entrys for us to look at?



Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group