Link to home
Start Free TrialLog in
Avatar of dotsandcoms
dotsandcoms

asked on

Rhtools.asp ( IIS Expolit )

Hi !

There is this new tool called [edited site - ee_ai_construct, cs admin]
It allows you to control the machine after uploading this onto the remove machine ( IIS )

Its an ASP file using Encoded VB Code....

We have the latest security updates installed and the CMD.exe and other files renamed. But this seems to be using some other SHELL available on windows to gain access to the remove machine.

It is a serious threat... imean really serious. Since it allows you do everything that a hacker would want to do with a remote machine. All with customised options available.

Is there any way to stop this happening on IIS / Win2k ??

Thanks

Bharat
Avatar of nihlcat
nihlcat

***Moderators, please remove the above link, it is in a hacker web-ring!!!***
Sorry, I can't help you.  Any attempt I make to research this results in a German hacker webring, and my PC is attacked by Mal/Spy warez.  Best to contact Microsoft

http://support.microsoft.com/gp/cntactms
Avatar of dotsandcoms

ASKER


Problem is really serious... is there any other way i can post information which is more secure... ?
I kept digging m$ site to post my question on the vulnerability but could not find a place to do that...

From what we have found so far is there are two things we need to disable.

..\system32\scrrun.dll (FSO)
> >     ..\system32\wshom.ocx    (WSHShell)

But these files get re-created as soon as we try deleting / disabling.

Thanks.. but no thanks.
I have the VB encoded code file which exploits the vulnerability. Will that help ?
This is RHtools is a hacker device found on numerous German warez sites, is not documented, and I get attacked every time I try.  This is beyond my scope, and I won't endanger my network trying to answer.
I am not posting anything......
I have found a crude solution to this problem. But that is not what i am looking as a solution... its rather just a temperory breakthru....       until someone from you **exports** find out what actualy is causing a total security breakdown on win2k/iis5 or even win2003/iis6.

I  am still unable to post anything to Microso$ website....  

Anybody ...... Any thoughts ???    I can provide the ASP file if somebody wants to try dubug the code.

Immediate assitance is appreciated & desprately required. Before a lot of IIS's go down....

Thanks

BT
SOLUTION
Avatar of Luc Franken
Luc Franken
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
dotsandcoms,

Once you have time it would be helpful for future reference if we knew the site where you click on the link that took you to the baddie site.  Don't post it but perhaps email as much as you can to ee_ai_construct   at  experts.exchange  dot com

It might be possible to give the moderators and page editors a warning about the sites leading into the dangerous link.

ee,

If that's if we arm the PEs and mods with the information, it will help us to be able to respond and keep it off the site.

If this is really some new attack on IE, I expect we will get a wave of it in BI and Web Dev.

Cd&
According to the information on the originating website, this has been out for more than a year in one version or another (bug fixes issued 10/13/03).  Perhaps a new attack vector? In any case, security on the IIS site should handle all attacks -- nothing should be able to write to a directory where scripts have execute permissions.
For what I've seen now, the webpage from where I found rhtools.asp itself isn't capable of just installing from an asp webpage, it'll need to be installed on an IIS server (so all computers without IIS are pretty safe for this) So it either happened through a vulnerability on some webpage, or this webserver was allready compromized by some backdoor.
I have a decoded version of rhtools.asp now, but my asp skills are next to zero and I can't find what it exactly does, and I don't have a computer around which I can infect at this moment. I'll see if I can do so tomorrow.

As a responce to http:#12382163
Both files are normal windows systemfiles, they just handle all kind of scripting on the computer. (that's why disabling them worked for a while)

LucF
Report a Security Vulnerability
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it.
https://s.microsoft.com/technet/security/bulletin/alertus.aspx

You could try installing URLScan from http://www.microsoft.com/technet/security/tools/urlscan.mspx

That's pretty good at locking down IIS 5, anyway.

patrick_henry_1776
For those testing rhtools.asp -  I'd suggest you change lines 109, 399 and 783 before running the script. I've not fully played about with it but these lines seem to be scripting an executable to the server.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
When trying to run the registry editing suite, contained. I get a

Microsoft VBScript runtime error '800a0046'
Permission denied

- I should point out that my local machine has very low security. Anyone had any luck elevating their levels with this?
I am not really much of an experts but here are a few suggestions

1) The reason those files are getting recreated could be due to the wonders of Windows XPs/2003's File Protection (Whether this technology exists on 2k I'm not too sure), it might be better to try regsvr32 FILENAME /u to unregister them (You should be able to kill off FSO and WScripting this way)

2) WEBDAV seems to be a service I know little about, however there have been vulnerabilities with it in the past and I believe it can write/post files to webroot folders, maybe it would be an idea to kill this using a simple regedit (See google for info on Disabling WEBDAV)

3) It might be an idea to check other services like FTP and upload forms to see if you can identify any holes you have open (Is there maybe a FTP account created for this user)

Back to you experts :)
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
oh and unregister windows scripting
Anything more needed here?
well mainly be careful of who can upload ASP files and to which folders.. and disallow anything such as FSO and Windows Scripting that allow access to the servers' files
Hi !

Good news is Norton Antivirus Corp. Edition detects all files with that code and puts them away...

But that is as long as you have NAV Corp. with latest updates.

And yes it requires ASP / FSO / Windows Scripting and other tools to function and do any damage. But that would be possible on any machine with little relaxed rules.

As users could upload this file on any server simply using any form on the website which is meant to allow users to upload content for sharing.

Thanks everybody for all the support & efforts.

I am not sure if anybody should get these points... But FSO / Windows Scripting disabling does stop this from funcationing. Any suggestions ???

Bharat
My suggestion is to give the points to me with grade A. A few new posts about just how good I am wouldn't go amiss, either. Autograph requests will be dealt with in good time. ;)
Without FSO and Windows Scripting I can't really see how a user could upload *any* malicious code
(However of course this might be a very narrow minded view as I don't confess to have any experience in such areas)

dotsandcoms : Have you actually had a copy of the decoded file to examine? Also I would like to point out that Norton Antivirus does *NOT* pick it up in its decoded form... So maybe there are still lessons to be learnt here...

The code on its own does not really HiJack or call any "exploits" as such, it is well documented on the homepage of the script, however yes it is designed to execute files and test permissions...

This file is however just as dangerous as any other ASP file, this however shows that you need to disable FSO and WSH rather quickly if you have users uploading ASP files to your site
Sorry to bug you dotsandcoms, but could you please reward whoevers advice you found the most helpful? This question has been open for quite some time now :P
hi,
i am seeing this now
earlier on somebody wrote to do this:

To Unregister the FileSystem COM Object  
At the command prompt - type:
regsvr32 scrrun.dll /u

but then said "oh and unregister windows scripting"

question is how do you do this ?

being the fact that over 4 months ago this discussion finished, have somebody learn anything new about this ?

thanks
landes
Landes, Unfortunaly I was wrong to make that comment, ASP afaik relies on Windows Scripting host (http://www.windowsitpro.com/Windows/Article/ArticleID/3091/3091.html) back in the Windows 98 days, you could remove it...Today, I wouldn't recommend it

Windows Server 2003 limits the IUSER account quite well, disable FSO as a paranoid security measure...but you shouldn't need to go as far as disable WSH

If anyone is interested, I'm thinking of programming a FSO equivallant, that would allow users to create and write to text files and copy files etc.. but only in specific folders...with a GUI restricting what operatiions are allowed or not... let me know if anyone is interested..

Matt