RE: web iis attack

[Alwin Raymundo <alrayworld () yahoo com>]

Hi Guys,

Thanks to all who responded to my email (question).
AFAIK, my IIS server was patched with SP6a and
cummulative patch for the IIS.

I installed also on my linux box (apache+frontpage
extension) and I got the same attacked but the payload
say that "connection closed".  It is annoying because
in ISS payload in Acid it showed my External IP Add. 
and I dont know if this successful or not.

Thanks again for the insight of this matter.

I'm completely blind because It does not log it on my
IIS LOG.  Tell you frankly I'm not expert on IIS.

Any tips to improve my security on my win nt box will
be highly appreciated.

Your brother in Snort.
 


--- Security Admin <SecurityAdmin () hyprotech com>
wrote:
> Hi Alwin, this is a directory traversal attack (like
> code red). You can try
> it yourself by putting the line in the IIS logs into
> your browser and
> prepending your domain name. If you are on anything
> other than a windows
> platform (with iis/pws so server, pro etc) this
> attack will have no effect.
> If you are on a windows platform hopefully you have
> applied all the security
> patches and SP3.
> The %c1%1c will convert to some character....likely
> the \
> /samples/check.bat/../../../winnt/system32/cmd.exe?/
>
> I don't know what the c+dir? converts to but the
> attack is trying to run
> check.bat in your iissamples directory, and then
> execute cmd.exe (your
> command prompt).
> These attacks are very common, I've noticed more
> this past 2 weeks, can't
> remember exactly but something about the 19th of the
> month and code red or
> nimda....
> Hopefully you have completed basic IIS hardening on
> your box which protects
> you from most of this...
>
> Wayne
>
> -----Original Message-----
> From: Alwin Raymundo [mailto:alrayworld () yahoo com] 
> Sent: Friday, October 25, 2002 5:55 AM
> To: user snort
> Subject: [Snort-users] web iis attack
>
> Hi Guys,
>
> I got a massive attack from one IP doing something
> on
> my one IIS server.  I already post it, some say that
> I
> should look at the iss log files if they succeded
> getting in or not.
>
> Almost a week I puzzled my self because the snort
> detect it and log the packets and everything while
> on
> ISS log there is nothing. Absolutely nothing.
>
> BTW, here are the sample logs in snort 
> HEAD
/samples/check.bat/..%c1%1c..%c1%1c..%c1%1cwinnt/system32/cmd.exe?/c+dir?/c+
> dir+c:\
> HTTP/1.0..Host: xxx.xx.xx.91
>
> Is there any software or utilities that can do this?
> let me know because I want to try it myself.
>
> I need your help guys.
>
> Thanks in Advance
>
> Your brother in snort 
>
> =====
> Alwin Raymundo
>
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
-------------------------------------------------------
> This sf.net email is sponsored by: Influence the
> future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users