Security Incidents mailing list archives

RE: ncacn_http/1.0

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Thu, 7 Mar 2002 13:19:57 -0500

That's probably not good.  Ncacn_http allows client/server applications
to communicate via the internet (or any IP network) by using IIS to
"proxy" the requests.  Thus, an application that would normally be
prevented from accessing the internet could be piped out a public IP on
port 80 (in the case of ncacn_http, anyway).  The port on which the host
is listening is somewhat irrelevant, as port 80 only needs to be open on
the IIS server that is acting as the application proxy.  

This is oversimplified, and I've certainly left out most of the details,
but this is basically what ncacn_http is used for.  

Keith

-----Original Message-----
From: theGooo () hotmail com [mailto:theGooo () hotmail com]
Sent: Thursday, March 07, 2002 5:37 AM
To: incidents () securityfocus com; pen-test () securityfocus com
Subject: ncacn_http/1.0



 I have been getting Nimda like scans from different hosts this morning.


        
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN
        scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
        _mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
        /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

 When I checked these hosts, I found that they have some ports that
display "ncacn_http/1.0" when you connect to them. Is this Netcat or
something else? 
 BTW, all these servers don't have a port 80 open and they are windows
machines.

Regards,
Sameh
========================================
Sameh Y. Farag
Security Engineer
Internet Security Systems - Middle East
Tel:        +2 02 7607011
Fax:        +2 02 7607013
<http://www.iss.net/>
The power to protect
======================================== 


__________________________________________________
Manage your Hotmail with ANY email application:
Get Pop3Hot at <http://pop3hot.com/main.htm>


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: ncacn_http/1.0 McCammon, Keith (Mar 07)
- <Possible follow-ups>
- ncacn_http/1.0 theGooo (Mar 07)
  - Re: ncacn_http/1.0 cw (Mar 07)