Educause Security Discussion mailing list archives
Chinese dot-dot-slash attack on Windows 2000/IIS
From: Andrew Daviel <advax () TRIUMF CA>
Date: Thu, 11 Sep 2008 19:08:04 -0700
(previously posted to UNISOG) We had some guy coming in from Guangdong over Windows Terminal Server, with "B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a trojan server, but the server binary looks legit and the string was in incoming traffic, so maybe he's got a password but was using some funny client. Then we found some highly suspicious HTTP traffic: GET /homepage/foobar/sysvolume/c../open.asp HTTP/1.1 GET /homepage/foobar/sysvolume/c../open.asp?%23=Execute(Session(%22%23%22))&pageName=PageList HTTP/1.1 href='?%23=Execute(Session(%22%23%22))&pageName=infoAboutSrv&theAct=getTerminalInfo'> Googling for infoAboutSrv turns up what look like hacked Chinese sites "by Markos" - various javascript pages with Chinese language text. This server is we believed fully patched and running recent antivirus on auto-update, though it probably should have been replaced years ago by Windows Server 2003 or recent Linux. Has anyone seen this kind of thing ? Is Windows 2000 IIS just plain vulnerable, or might this be a configuration problem ? (Generally, I do Linux, and Windows problems have been viruses and trojans caught by Symantec, rather than remote access exploits, so I'm not so familiar with this side of things) -- Andrew Daviel, TRIUMF, Canada Network Security Manager
Current thread:
- Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 11)
- <Possible follow-ups>
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Justin Azoff (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Curt Wilson (Sep 16)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Jeni Li (Sep 26)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Delaney, Cherry L. (Sep 27)