[Intrusions] Has anyone seen this?

[Roger Roberts]

Many worms/bots/tools use the Unicode Web Traversal exploit. A patch
for computers running Windows NT 4.0 Service Packs 5 and 6a or Windows
2000 Gold or Service Pack 1, as well as information regarding this
exploit can be found at
http://www.microsoft.com/technet/security/bulletin/ms00-078.asp.

R

On 8/25/05, Justin S <jgs316 at gmail.com> wrote:
> On 8/24/05, Paul Schmehl  wrote:
> > We had a really strange attack the other day, and I'm wondering if anyone
> > else might have seen something similar.  The attack originated in a class C
> > (in China), moving randomly through the address space (x.x.x.231,
> > x.x.x.222, x.x.x.198, x.x.x.243, etc.) and scanned through a number of
> > class C's on our network.  The dst port was always 80.
> >
> > The attack signature was one of either "root.exe" (Nimda) or
> > "winnt/system32/cmd.exe".  I've never seen an IIS attack that used the
> > latter, and it seems rather strange, because unless the webserver is
> > grossly misconfigured you couldn't get to the system32 dir through port 80
> > anyway.
> >
> > >From the rapidity of the attack, it seemed more like a discovery attack
> > rather than a break-in attack, because the script (or whatever it was)
> > would change src IP very quickly.
> >
> > I'm just curious if anyone has seen anything similar.
> >
> > (The entire attack was detected and blocked by Tippingpoint, so it's only
> > interesting from an educational standpoint.)
> >
> I have seen that before.  I believe there was an old vulnerability in
> IIS where you could modify your URL to have a bunch of ../ in it and
> it would eventually take you back to the C drvie so you could then
> move forward and access the winnt directory.  You would have to have
> an old and unpatched version of IIS to be vulnerable to it though.
> 
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>