-
January 19th, 2003, 01:48 AM
#1
Senior Member
i was attack by this...
IIS_CGI_Decode_Command_Execution...
what is it actually...my firewall have been giving me this warning...what should i do with this?
-
January 19th, 2003, 01:53 AM
#2
I am sure people over here can help you but you will have to supply some more information.
Like what OS you are running, what firewall gave you the message and what you were doing while this thing occured.
-
January 19th, 2003, 02:05 AM
#3
hmmm, well, lets see, IIs is what? oh yea!!! a web server!!!! and CGI is what??? common gateway interface!!!, usually used for things like logging in, now, it could be an error on the server of a site your lookin at, but just to be safe, the next time it happens if it does, look at what your doing, if your looking at a site or whatever, just jot it down and reply so if thats not it we can help more.
-
January 19th, 2003, 02:09 AM
#4
I found a couple links, check them out
Here
which leads you to this link Here
After a semi-quick search, this is what I found, I'll continue searching and if I find anything else, I'll post it.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
January 19th, 2003, 05:21 AM
#5
Directory traversal vulnerability in IIS 5.0 and earlier allows remote attackers to execute arbitrary commands by encoding .. (dot dot) and "\" characters twice.
i found the same place you did shagdevil. it was the first link i got when by entering IIS_CGI_Decode_Command_Execution in google
i believe this is also know as the unicode exploit
im sorry you asked what you should do with this. well assuming your running iis5 open the run cammand and enter winver if your running with service pack 2 or greater forget about it. if you not reformat and do it right becase there's no telling whats on your system now.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
January 19th, 2003, 10:25 PM
#6
A good search engine most of you would have heard this but if you havent :
www.google.com
-
January 20th, 2003, 07:03 AM
#7
URL Scan for Unicode attacks...
Hey Penguin. Not long ago, I learned of a handy tool/application called URLScan, which is part of the IIS Lockdown tool. URLScan can be extracted from the tool if you would only like to use it by itself, although it may be best to use the complete Lockdown tool. Basically, it works by screening all requests of your webserver via the url checking to make sure it meets certain requirements for the request to be processed. It is controlled by a configuration file which you can customize to your liking. You can also have it write daily logs showing a wealth of information such as the attacker's IP, the modified URL they tried to use, what error page was displayed to them, why it was not processed (ie...request for executable like cmd.exe when this is not allowed), the time, and so on... I think it's a pretty nifty tool. I'm sure that it's been around for awhile (not sure how long), but I think it's worth mentioning in this situation. The link to the Microsoft page describing it can be found here , and on the same page, you will find a link to more information on the IIS Lockdown Tool in general. I hope this helps you. I've seen unicode attacks in action, and without the proper protection/configuration, they could probably be a problem to the unwary Admin.
Take care,
t2k2
Opinions are like holes - everybody\'s got\'em.
Smile
-
January 20th, 2003, 11:29 AM
#8
/me takes an educated guess..
some worm infected server is looking for the same hole in yours..
Common message caused by Nimda, CodeRed etc..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 23rd, 2003, 06:06 PM
#9
If you have an IIS running, just patch it, if necessary. If you don't, laugh at them. It might be hard to believe, but script kiddies are able to keep using dozens of unicode strings to 'own' an Apache server.. Argh. And defacers dare to call themselves hackers. Yuck!
Another possibility is Nimda or Codered, as it was previously stated. See? Worms are already smarter than script kiddies!
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|