[unisog] Chinese dot-dot-slash attack on Windows 2000/IIS
Andrew Daviel
advax at triumf.ca
Fri Sep 12 00:21:37 GMT 2008
A while ago I would have posted this to intrusions at sans.org. But it
devolved into a GIAC exam question list then closed in 2006.
Maybe there's some Windows expertise here :-)
We had some guy coming in from Guangdong over Windows Terminal Server,
with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a
trojan server, but the server binary looks legit and the string was in
incoming traffic, so maybe he's got a password but was using some funny
client. Then we found some highly suspicious HTTP traffic:
GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1
GET /homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList HTTP/1.1
href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'>
Googling for infoAboutSrv turns up what look like hacked Chinese sites
"by Markos" - various javascript pages with Chinese language text.
This server is we believed fully patched and running recent antivirus on
auto-update, though it probably should have been replaced years ago by
Windows Server 2003 or recent Linux.
Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain
vulnerable, or might this be a configuration problem ?
(Generally, I do Linux, and Windows problems have been viruses and
trojans caught by Symantec, rather than remote access exploits, so I'm
not so familiar with this side of things)
--
Andrew Daviel, TRIUMF, Canada
Network Security Manager
More information about the unisog
mailing list