Snort mailing list archives
RE: web iis attack
From: "Gray . Brendan" <bgray2 () drc com>
Date: Fri, 25 Oct 2002 11:25:31 -0400
I've tried the IIS Lockdown tool, and it looks very promising. Haven't used it on a production server yet, but I will be soon. I've noticed a trend in web attacks lately. The usual level of "noise" has been going down. (noise = generic nimda) Instead, once a week or so, one of my servers will get totally hammered by one IP address. It will be code red II, nimda, and a whole bunch of stuff that I've never seen before. The hammering will last 30 minutes or so, then die off. In cases like these I excerpt the offending IP from my server logs and send it to the abuse department of their ISP. All I've gotten so far is an automated response, but I can't just ignore stuff like this. I have IIS servers and the attacks are mostly buffer overflow stuff, but they'll throw in a bunch of %2E%2E%2E and an /etc/passwd?/c+dir+c:\ at the end. Not sure what they're trying to accomplish, but its getting on my last nerves, and making me wonder if there's something new out. Brendan Gray -----Original Message----- From: Alwin Raymundo [mailto:alrayworld () yahoo com] Sent: Friday, October 25, 2002 10:57 AM To: Security Admin; user snort Subject: RE: [Snort-users] web iis attack Hi Guys, Thanks to all who responded to my email (question). AFAIK, my IIS server was patched with SP6a and cummulative patch for the IIS. I installed also on my linux box (apache+frontpage extension) and I got the same attacked but the payload say that "connection closed". It is annoying because in ISS payload in Acid it showed my External IP Add. and I dont know if this successful or not. Thanks again for the insight of this matter. I'm completely blind because It does not log it on my IIS LOG. Tell you frankly I'm not expert on IIS. Any tips to improve my security on my win nt box will be highly appreciated. Your brother in Snort. --- Security Admin <SecurityAdmin () hyprotech com> wrote:
Hi Alwin, this is a directory traversal attack (like code red). You can try it yourself by putting the line in the IIS logs into your browser and prepending your domain name. If you are on anything other than a windows platform (with iis/pws so server, pro etc) this attack will have no effect. If you are on a windows platform hopefully you have applied all the security patches and SP3. The %c1%1c will convert to some character....likely the \ /samples/check.bat/../../../winnt/system32/cmd.exe?/ I don't know what the c+dir? converts to but the attack is trying to run check.bat in your iissamples directory, and then execute cmd.exe (your command prompt). These attacks are very common, I've noticed more this past 2 weeks, can't remember exactly but something about the 19th of the month and code red or nimda.... Hopefully you have completed basic IIS hardening on your box which protects you from most of this... Wayne -----Original Message----- From: Alwin Raymundo [mailto:alrayworld () yahoo com] Sent: Friday, October 25, 2002 5:55 AM To: user snort Subject: [Snort-users] web iis attack Hi Guys, I got a massive attack from one IP doing something on my one IIS server. I already post it, some say that I should look at the iss log files if they succeded getting in or not. Almost a week I puzzled my self because the snort detect it and log the packets and everything while on ISS log there is nothing. Absolutely nothing. BTW, here are the sample logs in snort HEAD
/samples/check.bat/..%c1%1c..%c1%1c..%c1%1cwinnt/system32/cmd.exe?/c+dir?/c+
dir+c:\ HTTP/1.0..Host: xxx.xx.xx.91 Is there any software or utilities that can do this? let me know because I want to try it myself. I need your help guys. Thanks in Advance Your brother in snort ===== Alwin Raymundo
------------------------------------------------------- This sf.net email is sponsored by: Influence the future of Java(TM) technology. Join the Java Community Process(SM) (JCP(SM)) program now. http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- web iis attack Alwin Raymundo (Oct 25)
- <Possible follow-ups>
- Re: web iis attack doswald (Oct 25)
- RE: web iis attack Alwin Raymundo (Oct 25)
- RE: web iis attack Gray . Brendan (Oct 25)
- RE: web iis attack Hicks, John (Oct 25)