Security Incidents mailing list archives

Re: Unicode Logs with Ping Activity

From: Vitaly Osipov <vosipov () wolfegroup ie>
Date: Fri, 13 Jul 2001 10:39:28 +0100

the probability of sources IPs being spoofed is very low, because in
order to send a request to your IIS server, they had to establish a TCP
connection, and this is a bit tricky thing to do when you try to spoof
the source IP (not on unpatched NT, though :) )

regards,
Vitaly.

myrddin_e () hushmail com wrote:


Understood, and thanks for the detailed information. That is what I was
trying to learn!

Any one have an opinion as to the likelihood of the originating address
not being spoofed? I counted four unique addresses that used the system
for ping attacks over the course of 20 days.

DISCLAIMER: NO, this was not my server. YES, I do know that the patch for
Unicode was released with bulletin MS00-057. YES, I did read the FAQ before
posting. Geez guys, take pill.

At Tue, 10 Jul 2001 13:05:45 -0400 (EDT), Jordan K Wiens <jwiens () nersp nerdc ufl edu>
wrote:


No, a 502 error is a bad gateway error; what happens is that your iis
server is unpatched against the unicde exploits (one of them, at least)
and
is executing the command to ping a host.  Just recently there seems
to be
an increase in the number of hackers using vulnerable web servers for
ddos
like behavior using over-sized pings.

When the ping command executes, it runs the pings, however, it (obviously)
does not return complete html headers as its output (since ping was
never
meant to run via the web, its not supposed to run like a normal web
executable). IIS notices this, and realizes that the script hasn't
correctly executed, and lets you know with the 502 error.  If you actually
look at the page, the results would read something like: "502 error;
the
application has not returned correct headers.  The headers it did return
are:" and then IIS would procede to show the output of whatever had
been
shown.

The error you want to see once a machine has been fully patched is usually
a 404 error.

--
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

Free, encrypted, secure Web-based email at www.hushmail.com

  ------------------------------------------------------------------------

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see:

http://aris.securityfocus.com



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Unicode Logs with Ping Activity myrddin_e (Jul 10)
- Re: Unicode Logs with Ping Activity Jordan K Wiens (Jul 10)
  - 27015 probe increase?? cg (Jul 11)
    - Re: 27015 probe increase?? bhc2 (Jul 11)
    - Re: 27015 probe increase?? mstockda (Jul 11)
  - Re: Unicode Logs with Ping Activity Blake Frantz (Jul 11)
- Re: Unicode Logs with Ping Activity Vitaly Osipov (Jul 11)
- <Possible follow-ups>
- Re: Unicode Logs with Ping Activity myrddin_e (Jul 11)
  - Re: Unicode Logs with Ping Activity Vitaly Osipov (Jul 13)