Updated: IWAP_WWW account on compromised IIS servers
Request for Information: IWAP_WWW account
We have received information about compromised systems with Internet
Information Server. These systems had an administrator level account
with the username 'IWAP_WWW' added.
Please check if your server has such an account and let us know
what you find. Until we know more, we suggest that you consider
a server compromised if you find an administrator account with
this username.
Update at the end of the day, still looking for concrete info
We don't have a lot more information on this than when we posted the
initial info this morning. Apparently some people started noticing it
last Tuesday and there has been some speculation that it may be related
to Berbew, but the Symantec write up on Berbew does not mention the
administrator account, so that connection remains tentative at best.
You can find some of the discussion of this at
http://www.webmasterworld.com/forum10/5849.htm
http://amazingtechs.com/index.php?showtopic=14414
and the Symantec write up on Berbew at
http://www.sarc.com/avcenter/venc/data/backdoor.berbew.f.html
From the mailbag
We received some correspondence today from an educational institution
which has detected what appears to be a fairly large number of GIFs and
JPEGs on their windows web server that have data stashed in the
alternate data streams (a feature of the NTFS file system). We're not sure
yet, how this data got onto the server. We are
still investigating to determine what exactly has been stashed in the
ADSes, but kudos to the admins at this site for even detecting them.
This should serve as a reminder to administrators to monitor disk space
and network usage and when something out of the ordinary occurs investigate
(or get help investigating). We're not certain at this time how damaging
this particular breach might be. If we learn anything interesting, we'll
provide an update. Obligatory SANSFIRE plug: Track 8 will provide you with
information on tools that can be used to investigate alternate data streams
as part of the Windows forensics tools.
-------------------------------------------------------------------
Jim Clausing, jim.clausing at acm.org and
Johannes Ullrich, jullrich_at_sans.org
We have received information about compromised systems with Internet
Information Server. These systems had an administrator level account
with the username 'IWAP_WWW' added.
Please check if your server has such an account and let us know
what you find. Until we know more, we suggest that you consider
a server compromised if you find an administrator account with
this username.
Update at the end of the day, still looking for concrete info
We don't have a lot more information on this than when we posted the
initial info this morning. Apparently some people started noticing it
last Tuesday and there has been some speculation that it may be related
to Berbew, but the Symantec write up on Berbew does not mention the
administrator account, so that connection remains tentative at best.
You can find some of the discussion of this at
http://www.webmasterworld.com/forum10/5849.htm
http://amazingtechs.com/index.php?showtopic=14414
and the Symantec write up on Berbew at
http://www.sarc.com/avcenter/venc/data/backdoor.berbew.f.html
From the mailbag
We received some correspondence today from an educational institution
which has detected what appears to be a fairly large number of GIFs and
JPEGs on their windows web server that have data stashed in the
alternate data streams (a feature of the NTFS file system). We're not sure
yet, how this data got onto the server. We are
still investigating to determine what exactly has been stashed in the
ADSes, but kudos to the admins at this site for even detecting them.
This should serve as a reminder to administrators to monitor disk space
and network usage and when something out of the ordinary occurs investigate
(or get help investigating). We're not certain at this time how damaging
this particular breach might be. If we learn anything interesting, we'll
provide an update. Obligatory SANSFIRE plug: Track 8 will provide you with
information on tools that can be used to investigate alternate data streams
as part of the Windows forensics tools.
-------------------------------------------------------------------
Jim Clausing, jim.clausing at acm.org and
Johannes Ullrich, jullrich_at_sans.org
Keywords:
0 comment(s)
×
Diary Archives
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
6 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago