Security Incidents mailing list archives
Re: Wave of Nimda-like hits this morning?
From: "security" <security_traq () hotmail com>
Date: Tue, 26 Feb 2002 20:14:46 -0500
the GET command your recieving is an old decode exploit thats still vulnerable as far as i am aware(iis4.0+). it allows any user to run programs as IUSR_MACHINENAME on windows boxes. so if they did something like: http://www.yoursite.com/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd .exe?/c+dir+c:\ (the %5c../ are just %255c broke down by the server) you would get a listing of C:\. I've written a proof of concept to test machines with http://statik.countercultured.net ----- Original Message ----- From: "Ralph Los" <RLos () enteredge com> To: <incidents () securityfocus com> Sent: Tuesday, February 26, 2002 9:46 AM Subject: Wave of Nimda-like hits this morning? Hey, I've had multiple clients' Solaris boxes crashing this morning from what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual. The same old unicode characters are present [%2f, %5c] but a new one has appeared I haven't seen yet. This line: ' /msadc/..%5c../..%5c../..%5c/..Á ../..Á ../..Á ../winnt/system32/cmd.exe ' appears a few times and I'm not quite sure what to make of it... Please keep in mind that came from a Solaris box, Apache log. Whatever this (maybe) new bug is, it's blowing up these boxes left and right...can't figure it out. They're all relatively new 1.3'ish versions I think. Anyone else seeing anything weird? ----------------------------------------| Ralph M. Los Sr. Security Consultant and Trainer EnterEdge Technology, L.L.C. rlos () enteredge com (770) 955-9899 x.206 ----------------------------------------| ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Wave of Nimda-like hits this morning? Ralph Los (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)
- PHP exploit (Was Re: Wave of Nimda-like hits this morning?) Chris Adams (Feb 27)
- RE: Wave of Nimda-like hits this morning? Brian Mooney (Feb 26)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 27)
- Re: Wave of Nimda-like hits this morning? Benjamin Morin (Feb 28)
- RE: Wave of Nimda-like hits this morning? Christopher L. Morrow (Feb 27)
- Re: Wave of Nimda-like hits this morning? John Brahy (Feb 26)
- Re: Wave of Nimda-like hits this morning? security (Feb 26)
- Re: Wave of Nimda-like hits this morning? Erick Brockway (Feb 27)
- <Possible follow-ups>
- Wave of Nimda-like hits this morning? Michael Sutton (Feb 26)
- RE: Wave of Nimda-like hits this morning? Ronneil Camara (Feb 26)
- RE: Wave of Nimda-like hits this morning? Greg Williamson (Feb 26)
- New Attack / New Vulnerability? Sterling Moses (Feb 27)
- Re: New Attack / New Vulnerability? Mark Seiden (Feb 27)
- New Attack / New Vulnerability? Sterling Moses (Feb 27)
- RE: Wave of Nimda-like hits this morning? Darren Young (Feb 27)
- RE: Wave of Nimda-like hits this morning? Scott A. Barbour (Feb 27)
- Re: Wave of Nimda-like hits this morning? Jay D. Dyson (Feb 26)