[Intrusions] Has anyone seen this?

Evans, Arian Arian.Evans at fishnetsecurity.com
Thu Aug 25 16:08:55 GMT 2005 

Those look like stock Nikto checks (which is also
what Nessus uses for "web app testing").

It's probably throwing a directory traversal string
before the check that IIS is dropping (unless it's
an old vuln version). I have however seen people
enable parent pathing and move the web root to the
root of a Windows drive; gross misconfiguration does
in fact happen.

I bet other vuln scanners that have known-file/known-cgi
abuse checks like eEye's Retina, Nstalker Nstealth, and
other network vuln scanners purporting to do "web application
security" testing have these sorts of checks too.

You can dig through some of the common ones here in this
list:

http://www.owasp.org/docroot/owasp/misc/OWASP_UK_2005_Presentations/AppSec2005-Arian_Evans-AppSec_Asse
ssment_Tools.ppt


-ae 

> -----Original Message-----
> From: intrusions-bounces at lists.sans.org 
> [mailto:intrusions-bounces at lists.sans.org] On Behalf Of Paul Schmehl
> Sent: Wednesday, August 24, 2005 12:21 PM
> To: Intrusions List (GCIA Practicals)
> Subject: [Intrusions] Has anyone seen this?
> 
> We had a really strange attack the other day, and I'm 
> wondering if anyone 
> else might have seen something similar.  The attack 
> originated in a class C 
> (in China), moving randomly through the address space (x.x.x.231, 
> x.x.x.222, x.x.x.198, x.x.x.243, etc.) and scanned through a 
> number of 
> class C's on our network.  The dst port was always 80.
> 
> The attack signature was one of either "root.exe" (Nimda) or 
> "winnt/system32/cmd.exe".  I've never seen an IIS attack that 
> used the 
> latter, and it seems rather strange, because unless the webserver is 
> grossly misconfigured you couldn't get to the system32 dir 
> through port 80 
> anyway.
> 
> >From the rapidity of the attack, it seemed more like a 
> discovery attack 
> rather than a break-in attack, because the script (or 
> whatever it was) 
> would change src IP very quickly.
> 
> I'm just curious if anyone has seen anything similar.
> 
> (The entire attack was detected and blocked by Tippingpoint, 
> so it's only 
> interesting from an educational standpoint.)
> 
> Paul Schmehl (pauls at utdallas.edu)
> Adjunct Information Security Officer
> University of Texas at Dallas
> AVIEN Founding Member
> http://www.utdallas.edu/ir/security/
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>

More information about the Intrusions mailing list