RE: Unicode Attack (FOLLOW UP)

["Jeremy Junginger" <jjunginger () usbestcrm com>]

Follow up:

The attacking host at 210.201.100.253 is a Windows 2000 Chinese Server,
trojaned with RemoteNC running on port 5700 (which is password
protected).  He is also running "X-FTP" which allows anonymous
downloading as well as posting (d'oh).  It seems reasonable to assume
that this host is being controlled by a malicious entity that is using
it to fire off automated scripts.  Also an intersting note is the
following:

Search results for: 210.201.100.253 


OrgName:    Asia Pacific Network Information Centre
OrgID:      APNIC

NetRange:   210.0.0.0 - 211.255.255.255
CIDR:       210.0.0.0/7
NetName:    APNIC-CIDR-BLK2
NetHandle:  NET-210-0-0-0-1
Parent:
NetType:    Allocated to APNIC
NameServer: ns1.apnic.net
NameServer: ns3.apnic.net
NameServer: ns.ripe.net
NameServer: rs2.arin.net
NameServer: dns1.telstra.net
Comment:    This IP address range is not registered in the ARIN
database.
            For details, refer to the APNIC Whois Database via
            WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
            ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
            for the Asia Pacific region. APNIC does not operate networks
            using this IP address range and is not able to investigate
            spam or abuse reports relating to these addresses. For more
            help, refer to http://www.apnic.net/info/faq/abuse

RegDate:    1996-07-01
Updated:    2002-09-11

OrgTechHandle: SA90-ARIN
OrgTechName:   System Administrator, System
OrgTechPhone:  +61 7 3858 3100
OrgTechEmail:

# ARIN Whois database, last updated 2002-11-12 19:05
# Enter ? for additional hints on searching ARIN's Whois database.

Interesting how they "are not able to investigate SPAM or abuse reports
relating to these ranges."  Looks like a perfect place for a zombie.
Thoughts?  What would you do?

-Jeremy

-----Original Message-----
From: Jeremy Junginger 
Sent: Wednesday, November 13, 2002 7:51 AM
To: incidents () securityfocus com
Subject: Unicode Attack


It's time again to ask the group for some assistance with interpretation
of web logs and snort alerts.  There was some funny activity on the web
farm.  I noticed a couple "ATTACK RESPONSES-http dir listing" attacks on
some of our web servers, queueing me in to the fact that the servers in
question were not patched against a Unicode-type vulnerability.  I found
the offending IP, and tracked it back to a broadband home connection. I
think with reasonable certainty that the attack was not spoofed (because
of the nature of TCP and the fact that he received a response from the
web server); however, I cannot rule out the possibility of the host
being compromised.  Knowing this, I reported it to our ISP and blocked
access immediately, and began to analyze the logs more closely.  The web
logs are continuous, so I am assuming that they are intact, though they
may be suspect.  There are no lapses  in time, and the logs appear to be
fairly contiguous.  I also noticed that the attack was scripted, as
there were many WEB-IIS SAM RETRIEVAL attempts interspersed with the
Unicode strings, all happening in less than 10 seconds.  The log entries
of the first server are below.  

Web log entries:

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET
/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

This is an IIS 5.0/Win2k Server with SP2 and Latest Hotfixes per
HFNETCHECK, which I thought would preclude this server from being
vulnerable to a Unicode-type attack.  The only thing that has not been
done is running URLSCAN and IISLOCKDOWN.  Obviously, these will be my
steps for patching the servers, but I would like to ask for some
assistance with replicating the attack.  

INTERESTING NOTE:  The web logs indicate that the URL Requested was
(correct me if I'm wrong) 
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir
(possibly with a c:\ at the end).  

When running this URL against the server, it produces a 404 error on the
server rather than listing the drive contents.  The snort logs
(Snort/MySQL/PHP/ACID/Apache) indicate that the URL was
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir .  

I guess my question is three-fold:

1) Does the IIS server "decode" the string before logging it to the web
logs?
2) Does the Snort IDS "decode" the string before logging it to MySQL?
3) Since there are few (if any) thorough Unicode scanners, is it
possible to write a perl script that could check for all possible
Unicode variants on a given web server to test the effectiveness of the
URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)?  I
have some "shell" programs like uni.pl, but am a little confused about
how to generate all of the possible combinations.

If you guys can provide any assistance with this, it would be great.  If
not, thanks for taking the time to read the post.  Have a good one!

-Jeremy

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com