[unisog] Chinese dot-dot-slash attack on Windows 2000/IIS
Stephen John Smoogen
smooge at unm.edu
Fri Sep 12 18:07:51 GMT 2008
Andrew Daviel wrote:
> A while ago I would have posted this to intrusions at sans.org. But it
> devolved into a GIAC exam question list then closed in 2006.
> Maybe there's some Windows expertise here :-)
>
> We had some guy coming in from Guangdong over Windows Terminal Server,
> with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a
> trojan server, but the server binary looks legit and the string was in
> incoming traffic, so maybe he's got a password but was using some funny
> client. Then we found some highly suspicious HTTP traffic:
>
>
>
> GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1
> GET /homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList HTTP/1.1
> href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'>
>
> Googling for infoAboutSrv turns up what look like hacked Chinese sites
> "by Markos" - various javascript pages with Chinese language text.
>
> This server is we believed fully patched and running recent antivirus on
> auto-update, though it probably should have been replaced years ago by
> Windows Server 2003 or recent Linux.
>
> Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain
> vulnerable, or might this be a configuration problem ?
>
> (Generally, I do Linux, and Windows problems have been viruses and
> trojans caught by Symantec, rather than remote access exploits, so I'm
> not so familiar with this side of things)
I am in the same boat (99% Linux though they keep calling me over and
going to send me to Windows training).
I think that Windows 2000 SP4 is no longer supported.. but lets just say
the web page is less than helpful.
http://support.microsoft.com/gp/lifesupsps
Windows 2000 Server Service Pack 4 26-Jun-2003 Not Applicable
Support ends 24 months after the next service pack releases or at the
end of the product's support lifecycle, whichever comes first. For more
information, please see the service pack support policy at
http://support.microsoft.com/lifecycle/Default.aspx#Service%20Pack%20Support.
Windows 2000 might still be in extended support til 2010... or it might
not. I really don't know.
I did see a similar back in the early 2002 or so.. basically the Windows
admins found it was best to nuke from orbit and reinstall.
--
Stephen Smoogen -- ITS/Linux Administrator
MSC02 1520 1 University of New Mexico Albuquerque, NM 87131-0001
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the unisog
mailing list