hacktool.iis.exploit

TheMSsForum.com: The Microsoft Software Forum

I have a Windows 2000 Server SP4 and patched with all
security updates as of Saturday November 22. IIS is
running on this machine. Monday, received a Norton AV
message that idq.dll was infected with
hacktool.iis.exploit. Subsequently, several other files
(4) were also found to be infected. All were reported to
be quarantined with real-time scan. A couple of them have
the tftpxxx file names. We searched for information at
that time on this particular Trojan and found nothing
anywhere except an item on Symantec that says that it is
covered under their latest definitions. Tuesday, we had an
email application running slow. We found nc.exe (which we
believe to be netcat, port scanning util) running the cpu
pretty hard. We couldn't run a manual scan of NAV because
the local drive was full. It isn't a big drive but it
wasn't full before. We were able to map the local drive of
this computer from another and run a scan from the second
pc to the first and it found two infected files that
Norton left alone. So we took the server offline.

We ran NAV in safe-mode and nothing was reported. We are
also now able to run NAV from Windows and nothing is
reported. This was done with no network connectivity.

We are guessing that after the Trojan infected the
machine, it installed a tftp program and ran netcat. After
that we don't know what else could have happened.

I'm leaving the questions wide open. What would be our
next plan of action? What should we look at to determine
what activity was done?

Thanks for your time.
pepe
Top

Re: hacktool.iis.exploit by Ron

Ron
Wed Nov 26 15:46:33 CST 2003

You may want to start here:

http://www.cert.org/security-improvement/index.html#Respond

You'll want to isolate that box off your network ASAP ...

"pepe" <anonymous@discussions.microsoft.com> wrote in message
news:102701c3b434$7a667560$a401280a@phx.gbl...
> I have a Windows 2000 Server SP4 and patched with all
> security updates as of Saturday November 22. IIS is
> running on this machine. Monday, received a Norton AV
> message that idq.dll was infected with
> hacktool.iis.exploit. Subsequently, several other files
> (4) were also found to be infected. All were reported to
> be quarantined with real-time scan. A couple of them have
> the tftpxxx file names. We searched for information at
> that time on this particular Trojan and found nothing
> anywhere except an item on Symantec that says that it is
> covered under their latest definitions. Tuesday, we had an
> email application running slow. We found nc.exe (which we
> believe to be netcat, port scanning util) running the cpu
> pretty hard. We couldn't run a manual scan of NAV because
> the local drive was full. It isn't a big drive but it
> wasn't full before. We were able to map the local drive of
> this computer from another and run a scan from the second
> pc to the first and it found two infected files that
> Norton left alone. So we took the server offline.
>
> We ran NAV in safe-mode and nothing was reported. We are
> also now able to run NAV from Windows and nothing is
> reported. This was done with no network connectivity.
>
> We are guessing that after the Trojan infected the
> machine, it installed a tftp program and ran netcat. After
> that we don't know what else could have happened.
>
> I'm leaving the questions wide open. What would be our
> next plan of action? What should we look at to determine
> what activity was done?
>
> Thanks for your time.
> pepe
>


Top

Re: hacktool.iis.exploit by Karl

Karl
Thu Nov 27 07:02:16 CST 2003


http://securityadmin.info/faq.asp#hacked
www.cert.org/tech_tips
http://securityadmin.info/faq.asp#re-secure
http://securityadmin.info/faq.asp#harden

Reading the book "Incident Response" might also be helpful, although you
probably need something fast.

Based on your description, I'm guessing there might be two different things
going on here. TFTP files could be virus infections, and the fact that your
hard drive is full makes me suspect that your computer was hosting an
illicit FTP server through "FTP Tagging." The latter along with the
existence of netcat and the full hard drive sound more likely to be an
intrusion by a real person and not a virus.

Patches alone are not enough. You may need to make sure you have a firewall
and that it is correctly configured [your web server has NO purpose in doing
TFTP outbound, and if you are not blocking everything outbound except for a
short list of protocols that are permitted outbound, that is a mistake in
the firewall configuration]. Besides patches, the proper configuration
settings are necessary, see the hardening link above for info. And, if you
had FTP services running, either those should be disabled if you are not
using them, or at least make sure the anonymous FTP user e.g. IUSR never has
both read and write permissions to any FTP folder.

http://securityadmin.info/faq.asp#ftpfolder


"pepe" <anonymous@discussions.microsoft.com> wrote in message
news:102701c3b434$7a667560$a401280a@phx.gbl...
> I have a Windows 2000 Server SP4 and patched with all
> security updates as of Saturday November 22. IIS is
> running on this machine. Monday, received a Norton AV
> message that idq.dll was infected with
> hacktool.iis.exploit. Subsequently, several other files
> (4) were also found to be infected. All were reported to
> be quarantined with real-time scan. A couple of them have
> the tftpxxx file names. We searched for information at
> that time on this particular Trojan and found nothing
> anywhere except an item on Symantec that says that it is
> covered under their latest definitions. Tuesday, we had an
> email application running slow. We found nc.exe (which we
> believe to be netcat, port scanning util) running the cpu
> pretty hard. We couldn't run a manual scan of NAV because
> the local drive was full. It isn't a big drive but it
> wasn't full before. We were able to map the local drive of
> this computer from another and run a scan from the second
> pc to the first and it found two infected files that
> Norton left alone. So we took the server offline.
>
> We ran NAV in safe-mode and nothing was reported. We are
> also now able to run NAV from Windows and nothing is
> reported. This was done with no network connectivity.
>
> We are guessing that after the Trojan infected the
> machine, it installed a tftp program and ran netcat. After
> that we don't know what else could have happened.
>
> I'm leaving the questions wide open. What would be our
> next plan of action? What should we look at to determine
> what activity was done?
>
> Thanks for your time.
> pepe
>


Top