[unisog] Chinese dot-dot-slash attack on Windows 2000/IIS
Chris Green
cmgreen at uab.edu
Fri Sep 12 15:32:11 GMT 2008
Andrew Daviel wrote:
> A while ago I would have posted this to intrusions at sans.org. But it
> devolved into a GIAC exam question list then closed in 2006.
> Maybe there's some Windows expertise here :-)
>
> We had some guy coming in from Guangdong over Windows Terminal Server,
> with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a
> trojan server, but the server binary looks legit and the string was in
> incoming traffic, so maybe he's got a password but was using some funny
> client. Then we found some highly suspicious HTTP traffic:
My guess: open.asp is something like C99shell for windows. Some other
way (weak password,SQL injection on another app running on server,
incorrect WEBDAV permissions, etc), let someone upload open.asp and then
get a shell.
> Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain
> vulnerable, or might this be a configuration problem ?
Is it actually a Windows 2000 Terminal Server or is it just running
standard RDP? If I recall, Windows 2000 Terminal Server and IIS became
an unsupported configuration over the lifecycle of Windows 2000 (Around
SP2). I could be way off my rocker because it's been years since I
found that realization and it could have been NT4.
> (Generally, I do Linux, and Windows problems have been viruses and
> trojans caught by Symantec, rather than remote access exploits, so I'm
> not so familiar with this side of things)
>
>
>
More information about the unisog
mailing list