HELP - I AM BEING HACKED - u.pl - directory traversal?

HELP - I AM BEING HACKED - u.pl - directory traversal?

Post by Peter Janse » Fri, 27 Apr 2001 17:29:32



Hi,
I found a whole lot of instances of CMD.EXE running on the server recently.
I used the kill command to kill them and found that a script called u.pl was
running.
On looking at the perl script (u.pl) it has a reference to the following
site:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsecti...
scussion%26vid%3D1806

Which is a section of the site about the Web Server Folder Traversal
vulnerability
http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

I installed this patch but the hacker continues to get onto my machine.  He
copies his scripts into the C:\Perl\Bin directory and can create directories
there.  He has left a message saying that he could delete my hard drive if
he choose, and I don't know if that is an empty threat because he seems to
be able to run command line commands, so theoretically he could run format
C:...

I must admit our server was woefully out of date with the security patches
and I have just applied a few that seem relevant, but I can't stop they
getting in!  I don't even want to kill there current programs in case they
retaliate by taking down the server.

So the symptoms are that I see CMD.EXE running when it shouldn't, and there
are a collection of Perl scripts in C:\Perl\Bin.  I have had a brief look at
them and they seem to allow the hacker to run command line scripts, at one
stage there was a file with a list of IPs...Help I need to secure my server.

Please any help would be much appreciated.
Peter Jansen

 
 
 

HELP - I AM BEING HACKED - u.pl - directory traversal?

Post by Steve » Fri, 27 Apr 2001 19:38:40


I need more information.. what kind of server is it...if I'm correct it's a
webserver.. but does it have more services like ftp...mail...?
Try a portscanner on the server to c which ports are open/vulnerable.

Regards,

Steven de Vries

Peter Jansen heeft geschreven in bericht ...

Quote:>Hi,
>I found a whole lot of instances of CMD.EXE running on the server recently.
>I used the kill command to kill them and found that a script called u.pl
was
>running.
>On looking at the perl script (u.pl) it has a reference to the following
>site:
>http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsecti...
i
>scussion%26vid%3D1806

>Which is a section of the site about the Web Server Folder Traversal
>vulnerability
>http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

>I installed this patch but the hacker continues to get onto my machine.  He
>copies his scripts into the C:\Perl\Bin directory and can create
directories
>there.  He has left a message saying that he could delete my hard drive if
>he choose, and I don't know if that is an empty threat because he seems to
>be able to run command line commands, so theoretically he could run format
>C:...

>I must admit our server was woefully out of date with the security patches
>and I have just applied a few that seem relevant, but I can't stop they
>getting in!  I don't even want to kill there current programs in case they
>retaliate by taking down the server.

>So the symptoms are that I see CMD.EXE running when it shouldn't, and there
>are a collection of Perl scripts in C:\Perl\Bin.  I have had a brief look
at
>them and they seem to allow the hacker to run command line scripts, at one
>stage there was a file with a list of IPs...Help I need to secure my
server.

>Please any help would be much appreciated.
>Peter Jansen


 
 
 

HELP - I AM BEING HACKED - u.pl - directory traversal?

Post by Peter Janse » Fri, 27 Apr 2001 17:54:12


Thanks for replying.  Ok our details are:

NT 4, SP 6a

IIS4: Web, FTP

MDaemon mail server

PCAnywhere Host

The machine is a web server for several sites.

Which port scanner would you recommend?

SMTP disbaled

When I installed SP 6a it hung on the very last step (after installation
showed it was 100% complete), I wonder if this could be related.

Thanks for your help

Peter Jansen


Quote:> I need more information.. what kind of server is it...if I'm correct it's
a
> webserver.. but does it have more services like ftp...mail...?
> Try a portscanner on the server to c which ports are open/vulnerable.

> Regards,

> Steven de Vries

> Peter Jansen heeft geschreven in bericht ...
> >Hi,
> >I found a whole lot of instances of CMD.EXE running on the server
recently.
> >I used the kill command to kill them and found that a script called u.pl
> was
> >running.
> >On looking at the perl script (u.pl) it has a reference to the following
> >site:

>http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsecti...
> i
> >scussion%26vid%3D1806

> >Which is a section of the site about the Web Server Folder Traversal
> >vulnerability
> >http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

> >I installed this patch but the hacker continues to get onto my machine.
He
> >copies his scripts into the C:\Perl\Bin directory and can create
> directories
> >there.  He has left a message saying that he could delete my hard drive
if
> >he choose, and I don't know if that is an empty threat because he seems
to
> >be able to run command line commands, so theoretically he could run
format
> >C:...

> >I must admit our server was woefully out of date with the security
patches
> >and I have just applied a few that seem relevant, but I can't stop they
> >getting in!  I don't even want to kill there current programs in case
they
> >retaliate by taking down the server.

> >So the symptoms are that I see CMD.EXE running when it shouldn't, and
there
> >are a collection of Perl scripts in C:\Perl\Bin.  I have had a brief look
> at
> >them and they seem to allow the hacker to run command line scripts, at
one
> >stage there was a file with a list of IPs...Help I need to secure my
> server.

> >Please any help would be much appreciated.
> >Peter Jansen

 
 
 

HELP - I AM BEING HACKED - u.pl - directory traversal?

Post by bomb » Fri, 27 Apr 2001 18:06:20


Although you've installed all the patches now, that's a bit like locking the
door after the horse has bolted.  Most likely, your friendly hacker has
installed himself a backdoor trojan [something like Sub7 or Back Orifice],
and has constant and complete control to your server.

My advice would be to just wipe the entire server, and re-install everything
from a backup that dates from a period when you knew it was untouched.
Install all the patches, audit the security and then put the server back
online.  The only problem with this is, that I'm guessing due to your lack
of care with your patches and general security, that you probably don't have
a full set of backups.

Next step; to find out if there is a trojan running on your machine go to
DOS and type in netstat -a -n.  This will show you a list of all your
connections and the ports that they use.  Then go to
http://www.system-security.net/Documents/Ports_Used_By_Trojans/ports_...
_trojans.html
This should give you a better idea of what you're dealing with, and
therefore how to deal with it.  A first step would be to block the offending
port[s] on your firewall [you do have a firewall, don't you?].

Finally, if your server is connected to a LAN or anything else, then you
need to do a full audit, as chances are they may well have been compromised
too.

Good luck,

bomba


Quote:> Hi,
> I found a whole lot of instances of CMD.EXE running on the server
recently.
> I used the kill command to kill them and found that a script called u.pl
was
> running.
> On looking at the perl script (u.pl) it has a reference to the following
> site:

http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsecti...
Quote:> scussion%26vid%3D1806

> Which is a section of the site about the Web Server Folder Traversal
> vulnerability
> http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

> I installed this patch but the hacker continues to get onto my machine.
He
> copies his scripts into the C:\Perl\Bin directory and can create
directories
> there.  He has left a message saying that he could delete my hard drive if
> he choose, and I don't know if that is an empty threat because he seems to
> be able to run command line commands, so theoretically he could run format
> C:...

> I must admit our server was woefully out of date with the security patches
> and I have just applied a few that seem relevant, but I can't stop they
> getting in!  I don't even want to kill there current programs in case they
> retaliate by taking down the server.

> So the symptoms are that I see CMD.EXE running when it shouldn't, and
there
> are a collection of Perl scripts in C:\Perl\Bin.  I have had a brief look
at
> them and they seem to allow the hacker to run command line scripts, at one
> stage there was a file with a list of IPs...Help I need to secure my
server.

> Please any help would be much appreciated.
> Peter Jansen

 
 
 

HELP - I AM BEING HACKED - u.pl - directory traversal?

Post by Steve Goodma » Fri, 27 Apr 2001 22:18:23


There's a utility that scans NT systems for backdoors and trojans..

check out http://grc.com/pw/patchwork.htm

It scans for trojans and then removes them. It doesn't do security patches
though... but you've already done them


Quote:> Hi,
> I found a whole lot of instances of CMD.EXE running on the server
recently.
> I used the kill command to kill them and found that a script called u.pl
was
> running.
> On looking at the perl script (u.pl) it has a reference to the following
> site:

http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fsecti...
Quote:> scussion%26vid%3D1806

> Which is a section of the site about the Web Server Folder Traversal
> vulnerability
> http://www.microsoft.com/technet/security/bulletin/MS00-078.asp

> I installed this patch but the hacker continues to get onto my machine.
He
> copies his scripts into the C:\Perl\Bin directory and can create
directories
> there.  He has left a message saying that he could delete my hard drive if
> he choose, and I don't know if that is an empty threat because he seems to
> be able to run command line commands, so theoretically he could run format
> C:...

> I must admit our server was woefully out of date with the security patches
> and I have just applied a few that seem relevant, but I can't stop they
> getting in!  I don't even want to kill there current programs in case they
> retaliate by taking down the server.

> So the symptoms are that I see CMD.EXE running when it shouldn't, and
there
> are a collection of Perl scripts in C:\Perl\Bin.  I have had a brief look
at
> them and they seem to allow the hacker to run command line scripts, at one
> stage there was a file with a list of IPs...Help I need to secure my
server.

> Please any help would be much appreciated.
> Peter Jansen