From gbromley@intstar.com Fri Apr 20 20:32:13 2001
Date: Thu, 19 Apr 2001 22:49:54 +0100
From: Gareth Bromley <gbromley@intstar.com>
To: project@honeynet.org
Subject: Scan of the month

I'm afriad I'm rather new to all of this, so here are the 'newbie'
answers

1. Given the initial large number of port 80 probes, it looks like IIS
based vulnerabilities where checked first. Given the reasonably quick
hits, I would summise that it is an automated tool, checking
vulnerabilities. Not knowing enough about NT, I would imagine the IIS or
Windows NT web based admin may be the culprits.

2. I think the exploit is a web based exploit, as suddenly the victim
starts to connect via FTP to the attacker.

3. The attacker get thes victim to download files using a non-PASV FTP
server (himself). Web access is then installed to install this software,
and from the initial port number (6969) most likely GateCrasher,
Priority, IRC 3 or maybe NetController (This port number looks to change
later on to oter ports 6868).

4. Removal of non-essential/default installed files and applications
installed by IIS.

5. 2 hours, but I can't figure out what the HTTP based exploit is :(

Bonus Question: I guess yes, as there are a number of traffic events
e.g. ICMP ECHO requests made to server (but not replied), changing of
remote control softwares ports (6968, 6868), that indicate to me that
the hacker has detected 'strange' behaviour.

Looking forward to the real answers,

--Gareth