Chinese dot-dot-slash attack on Windows 2000/IIS

[Andrew Daviel <advax () TRIUMF CA>]

(previously posted to UNISOG)

We had some guy coming in from Guangdong over Windows Terminal Server, with
"B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a trojan
server, but the server binary looks legit and the string was in incoming
traffic, so maybe he's got a password but was using some funny client. Then we
found some highly suspicious HTTP traffic:



GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1
GET
/homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList
HTTP/1.1
href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'>

Googling for infoAboutSrv turns up what look like hacked Chinese sites "by
Markos" - various javascript pages with Chinese language text.

This server is we believed fully patched and running recent antivirus on
auto-update, though it probably should have been replaced years ago by Windows
Server 2003 or recent Linux.

Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain vulnerable,
or might this be a configuration problem ?

(Generally, I do Linux, and Windows problems have been viruses and trojans
caught by Symantec, rather than remote access exploits, so I'm not so familiar
with this side of things)



--
Andrew Daviel, TRIUMF, Canada
Network Security Manager