[Intrusions] Has anyone seen this?

[Justin S]

On 8/24/05, Paul Schmehl  wrote:
> We had a really strange attack the other day, and I'm wondering if anyone
> else might have seen something similar.  The attack originated in a class C
> (in China), moving randomly through the address space (x.x.x.231,
> x.x.x.222, x.x.x.198, x.x.x.243, etc.) and scanned through a number of
> class C's on our network.  The dst port was always 80.
> 
> The attack signature was one of either "root.exe" (Nimda) or
> "winnt/system32/cmd.exe".  I've never seen an IIS attack that used the
> latter, and it seems rather strange, because unless the webserver is
> grossly misconfigured you couldn't get to the system32 dir through port 80
> anyway.
> 
> >From the rapidity of the attack, it seemed more like a discovery attack
> rather than a break-in attack, because the script (or whatever it was)
> would change src IP very quickly.
> 
> I'm just curious if anyone has seen anything similar.
> 
> (The entire attack was detected and blocked by Tippingpoint, so it's only
> interesting from an educational standpoint.)
> 
I have seen that before.  I believe there was an old vulnerability in
IIS where you could modify your URL to have a bunch of ../ in it and
it would eventually take you back to the C drvie so you could then
move forward and access the winnt directory.  You would have to have
an old and unpatched version of IIS to be vulnerable to it though.