Results 1 to 9 of 9

Thread: i was attack by this...

  1. #1
    Senior Member
    Join Date
    Dec 2002
    Posts
    144

    i was attack by this...

    IIS_CGI_Decode_Command_Execution...

    what is it actually...my firewall have been giving me this warning...what should i do with this?
    BlAcKiE
    GearBlitz

  2. #2
    I am sure people over here can help you but you will have to supply some more information.
    Like what OS you are running, what firewall gave you the message and what you were doing while this thing occured.

  3. #3
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    hmmm, well, lets see, IIs is what? oh yea!!! a web server!!!! and CGI is what??? common gateway interface!!!, usually used for things like logging in, now, it could be an error on the server of a site your lookin at, but just to be safe, the next time it happens if it does, look at what your doing, if your looking at a site or whatever, just jot it down and reply so if thats not it we can help more.

  4. #4
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    I found a couple links, check them out

    Here
    which leads you to this link Here

    After a semi-quick search, this is what I found, I'll continue searching and if I find anything else, I'll post it.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.

    i found the same place you did shagdevil. it was the first link i got when by entering IIS_CGI_Decode_Command_Execution in google

    i believe this is also know as the unicode exploit

    im sorry you asked what you should do with this. well assuming your running iis5 open the run cammand and enter winver if your running with service pack 2 or greater forget about it. if you not reformat and do it right becase there's no telling whats on your system now.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    A good search engine most of you would have heard this but if you havent :

    www.google.com

  7. #7
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    URL Scan for Unicode attacks...

    Hey Penguin. Not long ago, I learned of a handy tool/application called URLScan, which is part of the IIS Lockdown tool. URLScan can be extracted from the tool if you would only like to use it by itself, although it may be best to use the complete Lockdown tool. Basically, it works by screening all requests of your webserver via the url checking to make sure it meets certain requirements for the request to be processed. It is controlled by a configuration file which you can customize to your liking. You can also have it write daily logs showing a wealth of information such as the attacker's IP, the modified URL they tried to use, what error page was displayed to them, why it was not processed (ie...request for executable like cmd.exe when this is not allowed), the time, and so on... I think it's a pretty nifty tool. I'm sure that it's been around for awhile (not sure how long), but I think it's worth mentioning in this situation. The link to the Microsoft page describing it can be found here , and on the same page, you will find a link to more information on the IIS Lockdown Tool in general. I hope this helps you. I've seen unicode attacks in action, and without the proper protection/configuration, they could probably be a problem to the unwary Admin.


    Take care,

    t2k2
    Opinions are like holes - everybody\'s got\'em.

    Smile

  8. #8
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,534
    /me takes an educated guess..

    some worm infected server is looking for the same hole in yours..

    Common message caused by Nimda, CodeRed etc..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  9. #9
    If you have an IIS running, just patch it, if necessary. If you don't, laugh at them. It might be hard to believe, but script kiddies are able to keep using dozens of unicode strings to 'own' an Apache server.. Argh. And defacers dare to call themselves hackers. Yuck!
    Another possibility is Nimda or Codered, as it was previously stated. See? Worms are already smarter than script kiddies!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •