• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

How to find out a new tool / exploit

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
INFOSECNYC
Just Arrived
Just Arrived


Joined: 16 Oct 2002
Posts: 0
Location: Earth

Offline

PostPosted: Wed Oct 16, 2002 4:13 pm    Post subject: How to find out a new tool / exploit Reply with quote

Seem's like someone has been trying to change all the web servers Admin account passwords.

We have like 6 public webservers which someone tried to change the password on all the servers. (they failed)

I was just wondering, if only port 80 is open, How, or what "tool" are they using to attempt these password changes.

We run IIS, and we think it is locked down to our best knowledge, but how can someone try to change the account passwords, from port 80???

I know if they attempt to unicode attack the server to try and get access to the cmd.exe they will fail.

So I am baffeled to what "tool" or "exploit" there using.

Any Idea's???

Thanks in Advance!~
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Oct 16, 2002 4:25 pm    Post subject: Reply with quote

Have you looked in the IIS logs for anything that looks like a folder traversal or anything else vaguely suspicious?

Do you have term services or anything running?

If you PM me the IP of one of them I'll have a look.

Have you run the IIS lockdown tool and all the critical updates/SP's?
Back to top
View user's profile Send private message Visit poster's website
INFOSECNYC
Just Arrived
Just Arrived


Joined: 16 Oct 2002
Posts: 0
Location: Earth

Offline

PostPosted: Wed Oct 16, 2002 5:12 pm    Post subject: Locked down Reply with quote

All patches applied, all required Asapi mappings removed, proper ACL's applied, lockdown tool installed, urlscan applied, and the box is behind a Cisco Pix.

The setup is running off a CSS box.

The master web server runs APP Center,
which has 5 child servers below it.


You got to hit the CSS Box (IP Address) inorder to hit the other 5 servers.
(Load Balancing Reasons)

-------------------------------------------

I just checked logs, everything looks fine.
No unicode attacks, folder traversal, nothing.
Only service running is IIS.
Patches are up to date.
-------------------------------------------

Too weird.
Back to top
View user's profile Send private message
ShaolinTiger
Forum Fanatic
Forum Fanatic


Joined: 18 Apr 2002
Posts: 16777215
Location: Kuala Lumpur, Malaysia

Offline

PostPosted: Wed Oct 16, 2002 5:14 pm    Post subject: Reply with quote

Then how do you know someone tried to change the passwords?

From event logs?

Maybe it was someone on the inside..

Best thing you can do is run some logging tools (packet sniffer, firewall access logs etc) and wait for this to happen again, then analyse the data from the time matched to the event log (if this is where you're getting the info from).

Other than that, weird indeed!
Back to top
View user's profile Send private message Visit poster's website
b4rtm4n
Trusted SF Member
Trusted SF Member


Joined: 26 May 2002
Posts: 16777206
Location: Bi Mon Sci Fi Con

Offline

PostPosted: Wed Oct 16, 2002 5:36 pm    Post subject: Reply with quote

Looks a little like Code-Red scanning the servers.
Back to top
View user's profile Send private message Send e-mail
INFOSECNYC
Just Arrived
Just Arrived


Joined: 16 Oct 2002
Posts: 0
Location: Earth

Offline

PostPosted: Wed Oct 16, 2002 5:39 pm    Post subject: event logs Reply with quote

YEP.

By the event logs.

-
Im defintly thinking it was someone from the inside.
-
Back to top
View user's profile Send private message
INFOSECNYC
Just Arrived
Just Arrived


Joined: 16 Oct 2002
Posts: 0
Location: Earth

Offline

PostPosted: Wed Oct 16, 2002 5:40 pm    Post subject: No b4rtm4n.. Reply with quote

Its not code red.

I would of saw the unicode in the logs.
Back to top
View user's profile Send private message
Jason
Forum Fanatic
Forum Fanatic


Joined: 19 Sep 2002
Posts: 16777215


Offline

PostPosted: Wed Oct 16, 2002 9:13 pm    Post subject: Reply with quote

can you paste some of the event log entrys for us to look at?
Back to top
View user's profile Send private message Send e-mail
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register