"they reported that the machine did NOT show any of the findings of the report"
Riiiiiiight. Not after the sysadmin deleted the files! ;-)
I've not seen a report like that one myself but I would be interested in finding out what the real story is. Has anyone actually checked the IIS directories for those files and gone through the IIS/system logs looking for evidence of hack exploits?
Good luck.
-----Original Message-----
From: Edmundson, Miles B. [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, May 27, 2003 4:01 PM
To: '[EMAIL PROTECTED]'
Subject: Report results. False positive?
As part of our penetration testing for a client, we received the following
results of a Nessus scan. The results appear to indicate a machine that
has been hacked. I have NOT seen results like this before.
When we contacted the client to examine this machine, they reported that the
machine did NOT show any of the findings of the report. In addition, they
examined the machine locally, and coming across the network.
My questions is:
Has anyone else seen these sorts of results where they were false positives?
A sample of the report (not the entire report) is listed below:
NESSUS SECURITY SCAN REPORT
Created 22.05.2003 Sorted by host names
Session Name : XXXXXXXXXXXX
Start Time : 22.05.2003 12:56:28
Finish Time : 22.05.2003 13:31:18
Elapsed Time : 0 day(s) 00:34:49
Total security holes found : 23
high severity : 4
low severity : 11
informational : 8
Scanned hosts:
Name High Low Info
------------------------------------------------
192.168.1.2 4 6 5
Host: 192.168.1.2
Open ports:
general/icmp
www (80/tcp)
general/tcp
ftp (21/tcp)
unknown (80/tcp)
Service: unknown (80/tcp)
Severity: High
One or more copies of the Windows command line FTP utility were found, it is
often left in the web root as part of an automated attack.
One or more copies of 'pwdump' were found,it is used to dump the encrypted
password hashes from a Windows server.
One or more copies of the 'cmd.asp' script were found, this ASP script can
be used to exectute commands over the web, on IIS 4.0 it executes with
SYSTEM privileges.
One or more copies of the 'upload.asp' script were found, this ASP script
can be used to upload files to the server over the web, often used by
crackers when the target is firewalled.
One or more copies of the 'jsp.cmd' script were found, this JSP script can
be used to execute commands over the web.
One more DLL files were found which indicate the presence of the 'Remote
Administrator' tool. This tool is used to gain remote access to a
compromised server.
One or more copies of the 'kill.exe' executable were found, this tool is
used for terminating processes, it was originally bundled with the Windows
Resource Kits and has become a favorite of crackers.
One or more copies of the 'hk.exe' exploit were found, it is used to gain
SYSTEM privileges on a web server already compromised through another
method.
One or more copies of the 'list.exe' executable were found, this tool is
used for enumerating processes, it was originally bundled with the Windows
Resource Kits and has become a favorite of crackers.
One more DLL files were found which appear to be part of the 'NewGina.dll'
password logging toolkit.
One or more copies of the 'iiscrack.dll' exploit were found, it is used to
gain SYSTEM privileges on a web server already compromised through another
method.
One more DLL files were found which indicate the presence of the 'VNC'
remote administration utility.
Details:
ftp.exe - /images/ftp.exe
ftp.exe - /images/ftpx.exe
ftp.exe - /links/ftp.exe
ftp.exe - /links/ftpx.exe
ftp.exe - /specials/ftp.exe
ftp.exe - /specials/ftpx.exe
ftp.exe - /personalbanking/ftp.exe
ftp.exe - /personalbanking/ftpx.exe
pwdump.exe - /images/pwdump.exe
pwdump.exe - /images/pwdump2.exe
pwdump.exe - /images/pwdump3.exe
pwdump.exe - /links/pwdump.exe
pwdump.exe - /links/pwdump2.exe
pwdump.exe - /links/pwdump3.exe
Mr. Miles Edmundson
