Re: Strange Attack On A Webserver I Work On

Matthew J. Sahagian wrote:
> Hello, I'm a long time reader of this list and have never really had the need 
> to post here.  However, recently a webserver that I do minimal administrative 
> work for was attacked.  We're still unsure exactly what had been done.  Most of 
> the logs have been either cleaned or wiped completely (either by log rotate or 
> by the attacker).  I was gone for the weekend so I sorta came back to this.  I 
> don't really have questions about the attack per se, we're doing pretty well at 
> the recovery process....  one question I do have however is this.
>
> The attacker (either manually or using a program) replaced all index.html/htm 
> and index.php files they had permission to replace with a UDP flooder.  I 
> extracted some of the information from the flooder using the strings program 
> and heres what I get:
[cut]

Hmmm.. Have you tried to disasm the flooder yet?
Maybe you can discover somethin interesting in it.
Anyway I think this attack was performed by a script kiddy that found a
flooder somewhere in the net and used it without knowing what he was
doing... Brrr....

Some time ago some stupid lamers sent repeatedly to my apache a string
composed by a

SEARCH/

and a very long shellcode made of \x02,\x80 and NOPs (\x90).
Some days later I discovered that this was a IIS bof... so the attacker
was a lamer? Maybe someone attacked with the same "technique" of the
l4m3 that attacked me without doing damage, but against you the attack
worked...

Bye

--
Andrea, aka X-3mE'89
http://exxtreme.altervista.org
exxtreme@altervista.org

...."Have you mooed today?"...