Request for Information: IWAP_WWW account
We have received information about compromised systems with Internet Information Server. These systems had an administrator level account with the username 'IWAP_WWW' added. Please check if your server has such an account and let us know what you find. Until we know more, we suggest that you consider a server compromised if you find an administrator account with this username. Update at the end of the day, still looking for concrete info We don't have a lot more information on this than when we posted the initial info this morning. Apparently some people started noticing it last Tuesday and there has been some speculation that it may be related to Berbew, but the Symantec write up on Berbew does not mention the administrator account, so that connection remains tentative at best. You can find some of the discussion of this at http://www.webmasterworld.com/forum10/5849.htm http://amazingtechs.com/index.php?showtopic=14414 and the Symantec write up on Berbew at http://www.sarc.com/avcenter/venc/data/backdoor.berbew.f.html From the mailbag We received some correspondence today from an educational institution which has detected what appears to be a fairly large number of GIFs and JPEGs on their windows web server that have data stashed in the alternate data streams (a feature of the NTFS file system). We're not sure yet, how this data got onto the server. We are still investigating to determine what exactly has been stashed in the ADSes, but kudos to the admins at this site for even detecting them. This should serve as a reminder to administrators to monitor disk space and network usage and when something out of the ordinary occurs investigate (or get help investigating). We're not certain at this time how damaging this particular breach might be. If we learn anything interesting, we'll provide an update. Obligatory SANSFIRE plug: Track 8 will provide you with information on tools that can be used to investigate alternate data streams as part of the Windows forensics tools. ------------------------------------------------------------------- Jim Clausing, jim.clausing at acm.org and Johannes Ullrich, jullrich_at_sans.org I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS DFIR Summit & Training 2022 |
Jim 423 Posts ISC Handler Jun 29th 2004 |
Thread locked Subscribe |
Jun 29th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!