[unisog] Chinese dot-dot-slash attack on Windows 2000/IIS

Paul FM paulfm at me.umn.edu
Fri Sep 12 13:20:33 GMT 2008 

Running Terminal Services and IIS on the same machine is the Linux equivalent 
of running a Web server on a client machine.  Those two services should 
usually be on two different machines.

What you are seeing might be the result of web sites the person is accessing.

Or it may be something to do with the Great Firewall of China (his traffic 
may be going through a proxy without him knowing it).  All encrypted traffic 
(no matter what port it is on) coming from China has to be specifically 
permitted by the government (The great firewall of China is actually running 
on equipment from big US names in packet shaping).  The GFWoC is capable of 
identifying most encrypted traffic.  Even sending an encrypted file as an 
e-mail attachment will be blocked, or at least held until the Chinese 
Government can decrypt it - unless it seems to be a regular file (the 
Government whats to archive everything sent so they can potentially check it 
for forbidden communications).  The GFWoC caused a lot of complaints from 
reporters at the Olympics this year (and China had to make special exeptions).



Andrew Daviel wrote:
> A while ago I would have posted this to intrusions at sans.org. But it
> devolved into a GIAC exam question list then closed in 2006.
> Maybe there's some Windows expertise here :-)
> 
> We had some guy coming in from Guangdong over Windows Terminal Server, 
> with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a 
> trojan server, but the server binary looks legit and the string was in 
> incoming traffic, so maybe he's got a password but was using some funny 
> client. Then we found some highly suspicious HTTP traffic:
> 
> 
> 
> GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1
> GET /homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList HTTP/1.1
> href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'>
> 
> Googling for infoAboutSrv turns up what look like hacked Chinese sites 
> "by Markos" - various javascript pages with Chinese language text.
> 
> This server is we believed fully patched and running recent antivirus on 
> auto-update, though it probably should have been replaced years ago by 
> Windows Server 2003 or recent Linux.
> 
> Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain 
> vulnerable, or might this be a configuration problem ?
> 
> (Generally, I do Linux, and Windows problems have been viruses and 
> trojans caught by Symantec, rather than remote access exploits, so I'm 
> not so familiar with this side of things)
> 
> 
> 

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul Markfort   Info: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------

More information about the unisog mailing list