Security Incidents mailing list archives
Re: IIS Unicode attack decode
From: Derek Kwan <dkwan () KWAN CA>
Date: Tue, 20 Mar 2001 11:54:06 -0500
On Tue, 20 Mar 2001, ROBERT DEMAIN wrote:
Hello All, Recently i've been seeing quite a few attempts from the same russian IP trying to send unicode commands to a web server. These attacks were picked up by an IDS. Below are extracts from the log file on the web server (see below) My understanding of what has happened here is as follows: -attacker tries a few attempts at doing a dir listing of c: and d: -attacker tries to copy important stuff from the \repair directory to c:\inetpub\wwwroot (most unfriendly) -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not sure what this is about
I think copying "Blue Lace 16.bmp" is just try to see it the expolit works. Maybe is a script doing all this... and in theory if the attack works, the attacker can then check the root document directory and see if he/she can download the bmp file. Just my few CPU cycles....
Putting it all together it seems the attacker tried to use the iis4 and 5 unicode exploit to copy the sam file to a place where he/she/it thought they could get it from (on this server c:\inetpub\wwwroot is not the default web site or anything, but i believe it is on a default iis install). This failed for two main reasons; 1. the iusr_servername account (which is the user account this exploit can run as - correct me if i'm wrong) does not have permissions on \repair 2. the copy of the file to c:\inetpub\wwwroot would also fail as iusr_servername would not have the rights. Anyone have any comments on this? Anyone else seen activity like this? Regards Rob
Current thread:
- IIS Unicode attack decode ROBERT DEMAIN (Mar 20)
- Re: IIS Unicode attack decode Derek Kwan (Mar 20)
- <Possible follow-ups>
- Re: IIS Unicode attack decode Portnoy, Gary (Mar 20)
- Re: IIS Unicode attack decode ROBERT DEMAIN (Mar 20)