Solved

Rhtools.asp ( IIS Expolit )

Posted on 2004-10-22
4,923 Views
Last Modified: 2013-12-04
Hi !

There is this new tool called [edited site - ee_ai_construct, cs admin]
It allows you to control the machine after uploading this onto the remove machine ( IIS )

Its an ASP file using Encoded VB Code....

We have the latest security updates installed and the CMD.exe and other files renamed. But this seems to be using some other SHELL available on windows to gain access to the remove machine.

It is a serious threat... imean really serious. Since it allows you do everything that a hacker would want to do with a remote machine. All with customised options available.

Is there any way to stop this happening on IIS / Win2k ??

Thanks

Bharat
0
Question by:dotsandcoms
    29 Comments
     
    LVL 6

    Expert Comment

    by:nihlcat
    ***Moderators, please remove the above link, it is in a hacker web-ring!!!***
    0
     
    LVL 6

    Expert Comment

    by:nihlcat
    Sorry, I can't help you.  Any attempt I make to research this results in a German hacker webring, and my PC is attacked by Mal/Spy warez.  Best to contact Microsoft

    http://support.microsoft.com/gp/cntactms
    0
     

    Author Comment

    by:dotsandcoms

    Problem is really serious... is there any other way i can post information which is more secure... ?
    0
     

    Author Comment

    by:dotsandcoms
    I kept digging m$ site to post my question on the vulnerability but could not find a place to do that...

    From what we have found so far is there are two things we need to disable.

    ..\system32\scrrun.dll (FSO)
    > >     ..\system32\wshom.ocx    (WSHShell)

    But these files get re-created as soon as we try deleting / disabling.

    Thanks.. but no thanks.
    0
     

    Author Comment

    by:dotsandcoms
    I have the VB encoded code file which exploits the vulnerability. Will that help ?
    0
     
    LVL 6

    Expert Comment

    by:nihlcat
    This is RHtools is a hacker device found on numerous German warez sites, is not documented, and I get attacked every time I try.  This is beyond my scope, and I won't endanger my network trying to answer.
    0
     

    Author Comment

    by:dotsandcoms
    I am not posting anything......
    0
     

    Author Comment

    by:dotsandcoms
    I have found a crude solution to this problem. But that is not what i am looking as a solution... its rather just a temperory breakthru....       until someone from you **exports** find out what actualy is causing a total security breakdown on win2k/iis5 or even win2003/iis6.

    I  am still unable to post anything to Microso$ website....  

    Anybody ...... Any thoughts ???    I can provide the ASP file if somebody wants to try dubug the code.

    Immediate assitance is appreciated & desprately required. Before a lot of IIS's go down....

    Thanks

    BT
    0
     
    LVL 32

    Assisted Solution

    by:Luc Franken
    dotsandcoms,

    Please DON'T post ANY code here, it could be used to exploid other compromized computers.
    For you to start, disconnect this computer from the internet NOW! No matter how important the internet connection might seem to you, at this moment you don't want to have it. All downloads in the following steps should be done with another computer, and transfer the files with a cd-rom, not over the network.

    Then, please follow these steps: (all of them, don't care about how stupid they may seem, most are to make my life easy in helping you)
    1) Download and install Adaware SE => http://www.lavasoftusa.com/support/download/
        And replace the reference file with the latest => http://download.lavasoft.de.edgesuite.net/public/defs.zip
        Run the program, and use the "full systemscan"

    2) Download and install Trojan Remover => http://www.simplysup.com/tremover/download.html
        Download and install both the program and the reference updates => http://www.simplysup.com/tremover/update3.html
        Run a full scan

    3) Arm yourself with Hijackthis => http://www.aumha.org/downloads/hijackthis.exe
        Normally I would suggest you to post the log at an analize site, but this time I'm asking you:
        Put hijackthis in it's own folder, NOT in any Temporary folder or on the desktop (something like c:\hjt\hijackthis.exe will do fine)
        Run it, read and accept the first warning.
        Click "Scan" and then "Save Log"
        The logfile will appear in notepad, read through it, make sure to remove any reference to your domainname or IP addresses.
        Then, post the rest of the logfile here and I'll take a look at it.

    Greetings and good luck,

    LucF
    0
     
    LVL 32

    Assisted Solution

    by:bhess1
    Okay - I have taken a look at this (thanks, Firefox - no holes for anyone to attack me through).

    First - this is an ASP file.  To get it installed and running, they had to be able to upload it to your system, into a script directory.  This indicates that your security and permissions are incorrect, and will need to be fixed.  As a quick workaround:

    (1) Shut down youe web site.  Turn off all IIS services.

    (2) Search your drives for all copies of rhtools.asp.  Delete them.

    (3) Search your registry for any reference to rhtools.asp.
    (3a)  I cannot tell you to delete any references, but I would recommend at least altering them so that you do can tell if a new rhtools.asp is written out, where it came from.

    (4) [optional] Search all files for the string rhtools.asp.  Also, search all files for the string %@ LANGUAGE = VBScript.Encode %
          Quarantine all files that you find that you cannot otherwise identify.  If it shows up in your registry, then search there as well.

    (5) Ensure that IIS does not start by default - set the services to Manual start

    (6) physically reboot the server (power all the way off).  This stops all running processes.

    (7) If IIS is not running
          (7a) Repeat step 2
          (7b) Repeat step 3

    (8) If IIS is running
          (This is beyond me - some process reset the IIS state) Manually stop all processes that are not essential
          ... Repeat steps 1 to 6
          ... If iis is still running, then this get outside help -- I can't do it from a distance at this point.

    (9)  [*** IMPORTANT -- KEY ***] In IIS, Remove write permissions to any directory that scripts are allowed to be executed in.  Remove execute permissions from all directories that do not need to execute scripts!

    (10) Download and run MS's security check tool

     That's the best that I can do right now on this.  You might also want to download and install the Firefox Preview from www.mozilla.org -- since it does not have IE's security holes, you have fewer chances to be infected through it (and the websites for this rootkit don't touch a PC with them installed)

    0
     
    LVL 53

    Expert Comment

    by:COBOLdinosaur
    dotsandcoms,

    Once you have time it would be helpful for future reference if we knew the site where you click on the link that took you to the baddie site.  Don't post it but perhaps email as much as you can to ee_ai_construct   at  experts.exchange  dot com

    It might be possible to give the moderators and page editors a warning about the sites leading into the dangerous link.

    ee,

    If that's if we arm the PEs and mods with the information, it will help us to be able to respond and keep it off the site.

    If this is really some new attack on IE, I expect we will get a wave of it in BI and Web Dev.

    Cd&
    0
     
    LVL 32

    Expert Comment

    by:bhess1
    According to the information on the originating website, this has been out for more than a year in one version or another (bug fixes issued 10/13/03).  Perhaps a new attack vector? In any case, security on the IIS site should handle all attacks -- nothing should be able to write to a directory where scripts have execute permissions.
    0
     
    LVL 32

    Expert Comment

    by:Luc Franken
    For what I've seen now, the webpage from where I found rhtools.asp itself isn't capable of just installing from an asp webpage, it'll need to be installed on an IIS server (so all computers without IIS are pretty safe for this) So it either happened through a vulnerability on some webpage, or this webserver was allready compromized by some backdoor.
    I have a decoded version of rhtools.asp now, but my asp skills are next to zero and I can't find what it exactly does, and I don't have a computer around which I can infect at this moment. I'll see if I can do so tomorrow.

    As a responce to http:#12382163
    Both files are normal windows systemfiles, they just handle all kind of scripting on the computer. (that's why disabling them worked for a while)

    LucF
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Report a Security Vulnerability
    The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it.
    https://s.microsoft.com/technet/security/bulletin/alertus.aspx

    0
     

    Expert Comment

    by:patrick_henry_1776
    You could try installing URLScan from http://www.microsoft.com/technet/security/tools/urlscan.mspx

    That's pretty good at locking down IIS 5, anyway.

    patrick_henry_1776
    0
     
    LVL 10

    Expert Comment

    by:thefritterfatboy
    For those testing rhtools.asp -  I'd suggest you change lines 109, 399 and 783 before running the script. I've not fully played about with it but these lines seem to be scripting an executable to the server.
    0
     
    LVL 10

    Assisted Solution

    by:thefritterfatboy
    I can't really see any security hole in this script. Your lockdowns *should* be preventing someone from calling a Server.CreateObject("WScript.Shell") that has any capabilities. This script uses the WScript.Shell object and calls methods such as RegWrite to write registry keys/values.

    The upload uses nothing but filesystemobject to write the files and WScript.shell to execute. The only possible way for this script to be doing any damage is if the executeable in it is changing your settings. (And unless the user who uploaded the script has executeable permissions - I can see no way of executing this file)

    I have not run the script fully (with executeable code still in). Can anyone shed any light on how it executes?
    0
     
    LVL 10

    Expert Comment

    by:thefritterfatboy
    When trying to run the registry editing suite, contained. I get a

    Microsoft VBScript runtime error '800a0046'
    Permission denied

    - I should point out that my local machine has very low security. Anyone had any luck elevating their levels with this?
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    I am not really much of an experts but here are a few suggestions

    1) The reason those files are getting recreated could be due to the wonders of Windows XPs/2003's File Protection (Whether this technology exists on 2k I'm not too sure), it might be better to try regsvr32 FILENAME /u to unregister them (You should be able to kill off FSO and WScripting this way)

    2) WEBDAV seems to be a service I know little about, however there have been vulnerabilities with it in the past and I believe it can write/post files to webroot folders, maybe it would be an idea to kill this using a simple regedit (See google for info on Disabling WEBDAV)

    3) It might be an idea to check other services like FTP and upload forms to see if you can identify any holes you have open (Is there maybe a FTP account created for this user)

    Back to you experts :)
    0
     
    LVL 3

    Accepted Solution

    by:
    I ran a google search on "Rhtools.asp" where I managed to find the official homepage for the hack tool.. Norton flipped out "Virus Detected".. Disabled Norton, opened in Notepad, noticed it was encoded, downloaded a decoder, decoded the script noted what components it uses

    It basically checks security on every file and folder, and allows uploads, the official site is actually more detailed about explaining the different errors and things that can prevent this script from working (Placing weaknesses to code which finds weaknesses in computer systems does rather beat it at its own game ;-) ) My Norton detected it, so chances are your webserver AV should also be on the ball by now and this won't be much of a threat

    For future refrence, and should you be using your server in an enviroment where people can upload their own ASP code, Unregister the FSO, most webhosts do

    To Unregister the FileSystem COM Object  
    At the command prompt - type:
    regsvr32 scrrun.dll /u
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    oh and unregister windows scripting
    0
     
    LVL 27

    Expert Comment

    by:Asta Cu
    Anything more needed here?
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    well mainly be careful of who can upload ASP files and to which folders.. and disallow anything such as FSO and Windows Scripting that allow access to the servers' files
    0
     

    Author Comment

    by:dotsandcoms
    Hi !

    Good news is Norton Antivirus Corp. Edition detects all files with that code and puts them away...

    But that is as long as you have NAV Corp. with latest updates.

    And yes it requires ASP / FSO / Windows Scripting and other tools to function and do any damage. But that would be possible on any machine with little relaxed rules.

    As users could upload this file on any server simply using any form on the website which is meant to allow users to upload content for sharing.

    Thanks everybody for all the support & efforts.

    I am not sure if anybody should get these points... But FSO / Windows Scripting disabling does stop this from funcationing. Any suggestions ???

    Bharat
    0
     
    LVL 10

    Expert Comment

    by:thefritterfatboy
    My suggestion is to give the points to me with grade A. A few new posts about just how good I am wouldn't go amiss, either. Autograph requests will be dealt with in good time. ;)
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    Without FSO and Windows Scripting I can't really see how a user could upload *any* malicious code
    (However of course this might be a very narrow minded view as I don't confess to have any experience in such areas)

    dotsandcoms : Have you actually had a copy of the decoded file to examine? Also I would like to point out that Norton Antivirus does *NOT* pick it up in its decoded form... So maybe there are still lessons to be learnt here...

    The code on its own does not really HiJack or call any "exploits" as such, it is well documented on the homepage of the script, however yes it is designed to execute files and test permissions...

    This file is however just as dangerous as any other ASP file, this however shows that you need to disable FSO and WSH rather quickly if you have users uploading ASP files to your site
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    Sorry to bug you dotsandcoms, but could you please reward whoevers advice you found the most helpful? This question has been open for quite some time now :P
    0
     

    Expert Comment

    by:landes
    hi,
    i am seeing this now
    earlier on somebody wrote to do this:

    To Unregister the FileSystem COM Object  
    At the command prompt - type:
    regsvr32 scrrun.dll /u

    but then said "oh and unregister windows scripting"

    question is how do you do this ?

    being the fact that over 4 months ago this discussion finished, have somebody learn anything new about this ?

    thanks
    landes
    0
     
    LVL 3

    Expert Comment

    by:matthew1471
    Landes, Unfortunaly I was wrong to make that comment, ASP afaik relies on Windows Scripting host (http://www.windowsitpro.com/Windows/Article/ArticleID/3091/3091.html) back in the Windows 98 days, you could remove it...Today, I wouldn't recommend it

    Windows Server 2003 limits the IUSER account quite well, disable FSO as a paranoid security measure...but you shouldn't need to go as far as disable WSH

    If anyone is interested, I'm thinking of programming a FSO equivallant, that would allow users to create and write to text files and copy files etc.. but only in specific folders...with a GUI restricting what operatiions are allowed or not... let me know if anyone is interested..

    Matt
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Top 6 Sources for Identifying Threat Actor TTPs

    Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

    Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
    In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
    With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…

    845 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now