Re: [DUG-OFFTOPIC]: tftp.exe - Continued

Wed, 03 Oct 2001 20:35:38 -0700 

> I checked all cmd.exes around, they are all the same. I scanned _all_ exes
> trying to find any simular to cmd.exe (by matching some of its internals).
> Nothing simular. All I have original cmd.exes. No root.exes around.
>
> If _it_ is there then where is it ?

the point is not that there is something wrong with the cmd.exe

the point is that it is in a place where any intruder can send
it commands - commands like "ftp"  and "dir" and "copy" and ...

the fact that they are all "the same" doesn't mean you are OK -
you need to be sure none of these cmd.exe or root.exe files are
in a place reachable from your webserver as CGI scripts.


> Could it be so that outside NIMDA was trying to get a bad admin.dll down
to
> me by somehow running my cmd.exe/tftp.exe, but never succeeded ?

I think it at least succeeds in

1.  finding a CMD.EXE to use (because of your status 200 logfile entries)

2.  running tftp  (because you've seen this thing running in the taskmgr
    along with the parent cmd.exe shell

but perhaps you are luck that tftp is somehow impaired by a firewall
or directory permissions and the file transfer it is trying to do
never succeeds.

> How did it do it ?
> Why did not it succeed ?
>
> What is the purpose of this request logged by my IIS ?
> 02:25:11 203.173.177.17 GET /scripts/..%2f../Admin.dll 500
>
> I got this entry all over my IIS log files for last 2 weeks.
> Is this to check if infected admin.dll finaly got to my PC ?

I don't have this in any of my logs - I've had hundreds of
attempts from IPs ranging all over - the probe always looks like the
same 16 GETs.

But perhaps you are right - maybe you only see this after it
tries to transfer the dll.

What do you know about this 203.173.177.17 address?    Are
all the probes from there?    This looks like a IHUG dialup
server.    Is it one of yours?    It seems wierd to me that
you don't have hits from other places too.

-ns



---------------------------------------------------------------------------
  New Zealand Delphi Users group - Offtopic List - [EMAIL PROTECTED]
                  Website: http://www.delphi.org.nz
To UnSub, send email to: [EMAIL PROTECTED] 
with body of "unsubscribe offtopic"
Web Archive at: http://www.mail-archive.com/offtopic%40delphi.org.nz/

Reply via email to