Re: IIS Unicode attack decode

[Derek Kwan <dkwan () KWAN CA>]

On Tue, 20 Mar 2001, ROBERT DEMAIN wrote:

> Hello All,
>
> Recently i've been seeing quite a few attempts from the same russian IP
> trying to send unicode commands to a web server.  These attacks were picked
> up by an IDS.  Below are extracts from the log file on the web server (see
> below)
>
> My understanding of what has happened here is as follows:
> -attacker tries a few attempts at doing a dir listing of c: and d:
> -attacker tries to copy important stuff from the \repair directory to
> c:\inetpub\wwwroot (most unfriendly)
> -attacker tries to copy bitmap (Blue%20Lace%2016.bmp) - not sure what this
> is about

I think copying "Blue Lace 16.bmp" is just try to see it the expolit
works. Maybe is a script doing all this... and in theory if the attack
works, the attacker can then check the root document directory and see if
he/she can download the bmp file.

Just my few CPU cycles....


> Putting it all together it seems the attacker tried to use the iis4 and 5
> unicode exploit to copy the sam file to a place where he/she/it thought they
> could get it from (on this server c:\inetpub\wwwroot is not the default web
> site or anything, but i believe it is on a default iis install).  This
> failed for two main reasons; 1. the iusr_servername account (which is the
> user account this exploit can run as - correct me if i'm wrong) does not
> have permissions on \repair 2. the copy of the file to c:\inetpub\wwwroot
> would also fail as iusr_servername would not have the rights.
>
> Anyone have any comments on this?  Anyone else seen activity like this?
>
> Regards
>
> Rob