!@# Apologies in advance for the typos.
!@#
!@#
!@# First breach, gets listing of boot.ini
!@# Need following segments
!@# Failed attempt to list contents of /mdac/ directory
!@# First use of MDAC RDS Vulnerability to concatenate 'werd' to file 'c:\fun'. Likely just testing exploit. 
!@# Uses Unicode exploit to check contents of file
!@# Unicode exploit is confirmed
!@# Need following segments 
!@# Uses MDAC exploit to create an FTP script file to download toolkit 
!@# Toolkit is (samdump.dll, pdump.exe and nc.exe)
!@# nc.exe is version 1.10 (you can see the version string in the FTP data stream later on)
!@# Judging from the size of pdump.exe in the ftp control channel traffic, this looks like
!@# pwdump2.exe (32768 bytes). This is supported by the size of samdump.dll (36,864 bytes)
!@# Uses MDAC vulnerability to open scripted ftp session to www.nether.net
!@# Uses -n switch to suppress auto-login
!@# FTP login fails, intruder probably does cannot see this. 
!@# FTP session terminates with nothing downloaded
!@# Uses MDAC vulnerability to run pdump and concatenate output into file 'new pass'
!@# Since pdump did not download this must fail
!@# Uses MDAC vulnerability to begin a new FTP script called ftpcom2
!@# The purpose of this script is to FTP the file 'new pass' to nether.net
!@# Uses MDAC vulnerability to start scripted FTP session with new script file
!@# Uses -n switch to suppress auto-login
!@# FTP fails again due to login problems
!@# When nothing shows up on the FTP server the, intruer will know something is wrong 
!@# Uses MDAC vulnerability to open an FTP connection to his own machine. 
!@# This would prove that the machine CAN make FTP connections
!@# Interesting FTP Banner
!@# Uses MDAC vulnerability to start a new FTP script for his/her own FTP server, overwriting file 'ftpcom'
!@# Adds username to FTP script, overwriting previous line. 
!@# This script is designed to grab the toolkit
!@# Uses MDAC exploit to start FTP client with 'ftpcom' script
!@# Since the open command was overwritten, the script does nothing
!@# After about a minute, the MDAC exploit is used to send the an open command (to his own machine) 
!@# This will not work though because cmd.exe does not know this is for the ftp session.
!@# The intruder likely got suspicious after no connections were made to his machine after the better part of a minute
!@# Uses MDAC vulnerability to start yet another FTP script called sassfile
!@# The purpose of this file is to try to download the toolkit again
!@# MDAC vulnerability is used to kick run the FTP client in scripted mode with the 'sassfile' script
!@# Again, the script file had no open command
!@# After about a minute and a half he/she uses the MDAC vulnerability to send the open command to self
!@# Again, this will not do anythin as the cmd.exe does not recognize 'open' as a valid command
!@# Uses MDAC to append a username 'johna2k' to 'sassfile'
!@# Uses MDAC vulnerability to append password 'haxedj00' to 'sassfile'
!@# Uses MDAC vulnerability to append  commans to get tools to 'sassfile'
!@# Uses MDAC vulnerability to run ftp client with 'sassfile' script
!@# But nothing happens since an ftp connection is never opened. (This may lock these files)
!@# Uses Unicode vulnerbility to make a copy of cmd.exe (named cmd1.exe)
!@# Uses Unicode vulnerability to overwrite 'ftpcom' FTP script, this time starting with an open command.
!@# The purpose of the script is the same as before. 
!@# Uses Unicode vulnerability to kick off the FTP script
!@# And this time it works
!@# As soon as netcat is downloaded (but before other files complete), intruder Uses Unicode vulnerability
!@# to open an instance of netcat listening on port 6969 using the -e flag to pipe input to cmd1.exe
!@# The intruder would need to run a command something like 'nc 172.16.1.106 6969' on their end
!@# NOTE: this instance of cmd1.exe will be running with the same priviledges as the web server.
!@# Intruder gets a remote console 'C:\Program Files\Common Files\system\msadc>'
!@# FTP session ends '221 Buh bye, you secksi hax0r j00 :]'
!@# Uses MDAC vulnerability to execute pdump and append output to file 'yay.txt'. This will give him/her the password hashes for a cracking tool later.
!@# NOTE: Commands run using the MDAC vulnerability will execute with system priviledges
!@# Uses remote shell to get a dir listing but yay.txt is not there. 
!@# Tries dir again, yay.txt still not there.
!@# deletes ftp script 'ftpcom' using remote shell. Cleanup.
!@# tries to run 'ls' from remote shell. Sorry, this is NT
!@# Runs dir from remote shell. ftpcom is gone. 
!@# Tries to read 'readme.txt' file using 'type' command from his remote shell. Mistypes filename and doesn't try again. 
!@# Uses MDAC vulnerability to run pdump again and redirect output to file 'c:\yay.txt'
!@# From remote shell: CDs to 'c:\' and lists files. There is yay.txt
!@# Tries another *nix command from remote shell. Uses 'rm' instead of 'del'
!@# More cleanup, deletes file 'fun' using remote shell
!@# exploring... Uses remote shell to 'cd' to exploits directory
!@# After exploring the subdirectories, he/she 'cd's back to 'c:\'
!@# Uses MDAC vulnerability to run 'pdump.exe' again and append the output to file 'c:\yay.txt'
!@# He/She might have noticed the 0 file size for yay.txt in the directory listing. 
!@# After a couple running dir a couple more times and seeing the same result (0 file size), he/she tries to read the file using 'cat'. 
!@# This fails as this still isn't a *nix box
!@# tries again using the 'type' command.
!@# File yay.txt is empty
!@# Using remote shell (web server priviledges), he/she tries to run 'net session' command, likely to check for netbios shares in use. 
!@# This fails due to lack of priviledges.
!@# Using remote shell, he/she runs 'net users' command for a listing of local accounts. 
!@# It works
!@# Uses MDAC vulenerability (system privs.) to run 'net session' command and redirect output to file 'yay2.txt'
!@# Uses MDAC vulenerability to run 'net session' command and redirect output to file 'c:\yay2.txt'.
!@# Uses remote shell to read file 'c:\yay2.txt'. Nobody is connected.
!@# Uses remote shell to clean up file 'c:\yay2.txt' (but not c:\Program Files\Common Files\system\msadc\yay2.txt)
!@# Tries 'net session' command again from remote shell but still doesn't have required priviledges
!@# Tries cleaning up a bit by running 'del yay.*'
!@# This deletes yay3.txt but looks like yay.txt is locked by another process. 
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'heh.txt'
!@# Uses MDAC vulnerabiliy to run 'net users' and append output to file 'c:\heh.txt'
!@# Reads heh.txt from remote shell
!@# Cleans up 'c:\heh.txt' using remote shell
!@# Checks out contents of 'c:\program files\'
!@# Leaves a calling card. writes 'Hi, i know that this a is a lab server, but patch the holes! :-)' to file README.NOW.Hax0r
!@# Runs 'net groups' command from remote shell. This shows the domain groups.
!@# Tries to run 'net localgroup' from remote shell. This fails
!@# From remote shell, the intruder plaus around with various net commands
!@# Likely this is an effort to try to discover the name of the local administrators group. 
!@# The command which would reveal this 'net localgroup' will not run. 
!@# Uses MDAC vulnerability to try to add user 'IWAM_KENNY' to the localgroup 'Domain Admins' (which doesn't exist)
!@# Uses MDAC vulnerability to try to add user 'IUSR_KENNY' to the localgroup 'Domain Admins' (which doesn't exist)
!@# One of these should be the web server account (and thus the account that the remote shell is running as)
!@# Tests the priviledges of the remote shell by running 'net session'. 
!@# Still denied
!@# Lists out users in local administrators group
!@# Realizes his mistake and uses MDAC vulnerability to add the same two accounts to the localgroup 'administrators'
!@# Uses remote shell to list out local administrators group and sees that the accounts are now included. 
!@# Tests his/her work by running 'net session' command from remote shell
!@# Access still denied.
!@# Explores some more... Navigates to C:\Program Files\Common Files\ODBC\Data Sources and lists files but there is nothing interesting there. 
!@# navigates remote shell to C:\Program Files\Common Files\System\msadc directory and lists files.
!@# Tries to run pdump from remote shell but this fails due to access limitations.
!@# This is not a priviledged shell 
!@# Uses remote shell to list out running services with 'net start' command
!@# Uses MDAC vulnerability to add an account named 'testuser' to the system with a password of 'UgotHacked'
!@# Uses MDAC vulnerability to add an account named 'testuser' to the administrators group
!@# Checks the users in administrators group from remote shell. User 'testuser' is not there.
!@# Lists users and does not see user 'testuser'
!@# tries to add another user 'hi' pwd 'guy' from remote shell. This fails. system error 1312
!@# Tries to add another account (himan / HarHar666) using the remote shell. This fails. 
!@# Runs 'net name' command from remote shell
!@# Uses remote shell to cleanup files in 'C:\Program Files\Common Files\System\msadc'
!@# Deletes pdump.exe, samdump.dll and pdump.exe
!@# Navigates remote shell to 'C:\WINNT\repair\'. Going for the SAM
!@# Runs rdisk -s/ to try to update this copy of the SAM db from the remote shell.
!@# Runs rdisk -/s 
!@# runs rdisk
!@# then runs rdisk -s
!@# Looking at the timestamps in the directory listing it does not appear that any of these worked. 
!@# Attempts to read sam in remote shell and sees this shell is not priviledged.
!@# Uses MDAC vulnerability to run rdisk -/s
!@# Uses MDAC vulnerability to run rdisk -s
!@# Uses MDAC vulnerability to run rdisk
!@# Directory listing still shows same timestamps. 
!@# Uses MDAC vulnerability to run rdisk -s/
!@# And again uses MDAC vulnerability to run rdisk -s/
!@# Uses MDAC vulnerability to try rdisk /s-
!@# But a directory listing shows the same old timestamps
!@# Uses MDAC vulnerability to try rdisk /s-
!@# Again no change in the timestamps
!@# Uses MDAC vulnerability to run rdisk /s-
!@# Uses MDAC vulnerability to read the compressed sam (c:\winnt\repair\sam._) into the file 'c:\har.txt'
!@# A directory listing shows that the timestamps have changed (Is the system clock off???)
!@# Navigates remote shell back to 'c:\'. Reads file har.txt
!@# Original remote shell on port 6969 disconnects
!@# Uses Unicode vulnerability to start a new nc listner on port 6969
!@# Uses Unicode vulnerability to start a new nc listner on port 6968
!@# Intruder connects to listner on port 6968
!@# Tries 'net session' from new remote shell, but access is still denied. 
!@# Navigates remote shell to 'c:\' and tries to delete yay.txt. It is still in use by another process.
!@# Navigates remote shell to 'wiretrip' directory
!@# Navigates remote shell to 'c:\inetpub\wwwroot\' and lists files. 
!@# Copies file 'c:\har.txt' to inetpub. 
!@# Comes and grabs it with his browser (refer to full log for this)
!@# Tries to delete har.txt
!@# But it looks like IIS has it locked. 
!@# Uses MDAC vulnerability to try to delete 'har.txt'
!@# No dice.
!@# Tries again with MDAC to delete 'har.txt'
!@# Still no dice. Navigates remote shell to 'guests' subdirectory
!@# Navigates back to 'wwwroot' then starts looking for other drives on the machine. 
!@# Tries drives d,e,f,h,g,a,b. None are present.
!@# Pokes around a couple more directories then disconnects
!@# Uses Unicode vulnerability to start two new nc listners (one on port 6968 and one on port 6868)
!@# A little over a minute and a half later, he/she opens a remote shell to the listner on port 6868
!@# NOTE: This session connects from a different IP address (different network) than the Intruder has been using thus far. 
!@# Tries D: drive again from remote shell (202.85.60.156)
!@# Using remote shell (202.85.60.156),he/she Navigates to Outlook Express folder and takes a look 
!@# Uses remote shell (202.85.60.156) to read file 'c:\yay.txt'. It is empty.
!@# Uses remote shell (202.85.60.156) to create a directory 'c:\test\'
!@# Uses remote shell (202.85.60.156) to read file 'C:\har.txt'
!@# Uses remote shell (202.85.60.156) to poke around 'c:\exploits\' directory.
!@# Navigates remote shell (202.85.60.156) to 'c:\' directory.
!@# And the game is up. Intruder creates a file 'c:\rfp.txt' that reads 'best honeypot i've seen till now :)'
!@# Uses Unicode vulnerability to list boot.ini 
!@# Uses Unicode vulnerability to try to read 'READ.NOW.hax0r' file but gets a 404
!@# Uses Unicode vulnerability to try to read 'READ.NOW.hax0r' file but gets a 404
!@# Uses remote shell (202.85.60.156) to root around in the 'c:\exploits' directory again.
!@# Uses remote shell (202.85.60.156) to read file 'ALLHOSTS.C' in the 'C:\exploits\unix\tcp-exploits' directory.
!@# Uses remote shell (202.85.60.156) to read file 'CSIRCSEQ.C'.
!@# Uses remote shell (202.85.60.156) to check for a D: drive and an A: drive again
!@# Uses remote shell (202.85.60.156) to navigate to 'C:\inetpub\wwwroot\' then writes the string 'test' to the file 'test.txt'
!@# Within 15 seconds, a Linux box with the IP 212.187.36.4 requests the new file.
!@# Uses remote shell (202.85.60.156) to overwrite the file 'test.txt' with the string 'this can't be true'
!@# Within 30 seconds of the file being created, the Win2K machine (213.116.251.162) hits file test.txt with borwser.
!@# Less than a minute and a half later, a linux box at 213.46.45.28 hits test.txt with a browser.
!@# 50 esconds later, a windows 98 box at 213.48.120.242 hits test.txt with a browser.
!@# 9 seconds later, a windows 98 box at 194.126.101.110 hits test.txt with a browser.
!@# 52 seconds later, a windows 95 box at 213.93.39.186 hits test.txt with a browser.
!@# 10 seconds later, a windows 98 box at 24.43.44.7 hits test.txt with a browser.
!@# 33 seconds later, a linux box at 198.142.92.196 hits test.txt with a browser.
!@# Uses remote shell (202.85.60.156) to remove directory 'c:\test\'.
!@# Uses remote shell (202.85.60.156) to navigate to 'C:\InetPub\wwwroot\' and copy 'default.htm' to 'default.html'
!@# Uses remote shell (202.85.60.156) to append a '.' to the end of the file 'default.htm'
!@# Uses unicode vulnerability to copy 'C:\winnt\system32\cmd.exe' to 'cmd1.exe' again. 
!@# But this fails due to file in use error. 
!@# Uses Unicode vulnerability to overwrite file 'ftpcom' with a new ftp script.
!@# The purpose of the script is to grab whisker.  
!@# Uses Unicode vulnerability to fire off ftp script. 
!@# Uses Unicode vulnerability to start a netcat listner on port 6969.
!@# Uses Unicode vulnerability to cleanup 'ftpcom' script.