Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: IIS Admins Beware - Get your systems patched

  1. #11
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Originally posted here by Tiger Shark
    DJM: I reran it against a real web site, (one of my own), and got the following reply:

    www.mydomain.com: Asib Pazir Nist

    Do we have any speakers of Arabic out there that can make a bit of sense out of this for us non-arabic types?
    I did a search with google and found the following site: http://www.iranian.com/May96/Opinion/GolAgha.html

    Note: A common Iranian is usually referred to as Asib Pazir or "vulnerable" because he or she is vulnerable to inflationary pressures.)
    So vulnerable.. something..
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #12
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by CXGJarrod
    hmmm... I did (in DOS) tool.exe ip Address and it came up with a little text.
    I get the same response with either IP address or domain name.
    << SERVER MS-IIS NADARAD >>


    Cheers:
    DjM

  3. #13
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    DjM: same here. I just tryed it on a default installation of IIS and it did the same thing. Well maybe its not as useful as I originally thought.

    Results for me: << Ip Address Asib Pazir Nist >>
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  4. #14
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    One search of NADARAD brought up the word morality (although I'm not sure if it has the same meaning). Guessing I might guess that it means it's secure or safe.

    Have you checked to see if this "tool" isn't, in fact, sending information out?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    MsM: I hate to say this without confirmation but I'll make a wild @$$ed guess that nist is Iranian for "not". It would fit with your research making the entire phrase "vulnerable not" and it is not unusual to have the negative after the verb in many languages. Also many languages negatives begin with "n".

    [EDIT]

    with regard to it sending info out: I was watching my machine with a HIDS and Ethereal and the server has HIDS too...... NOT a peep from either that is suspicious unless it has scheduled it but I have no additiona processes or services running.

    [/EDIT]

    That coupled with the fact I ran some other tools against that particular server this am to see if I was missing any patches and it came up good would further imply that the phrase means not vulnerable.

    DJM: if i am right above, and looking at the syntax of the message it gave you, I would take a look at that server if it is open to the public. If I am right that my phrase means "not vulnerable" then logically yours implies "vulnerable".....

    CXG: I ran it against my same domain but only using the IP and got my same message back. Then I ran it against an IP with no web service and it came back with "Irad az Connection".... I think we can all guess that one....LOL

    [EDIT]

    What service pack and patch level are you running though. If they are only giving us 28 out of 255 a simple SP3 might block the 28 holes

    [/EDIT]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #16
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by MsMittens
    Have you checked to see if this "tool" isn't, in fact, sending information out?
    netstat shows no unusual connections, and my firewall is functioning and not complaining. I don't think the tool is trying to phone home.

    Cheers:

    Originally posted here by Tiger Shark
    DJM: if i am right above, and looking at the syntax of the message it gave you, I would take a look at that server if it is open to the public. If I am right that my phrase means "not vulnerable" then logically yours implies "vulnerable".....
    We don't have any IIS servers open to the public, they are all behind the firewall and most are just development servers.

    It would be nice if we could get a clear translation of what this tool is telling us, guessing could just lead to needless panic attacks

    Cheers:
    DjM

  7. #17
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Doesnt look like the tool is living up to its description. I tried it on a default installation of IIS on a Win2k Service Pack 3 Box and it gave the same message.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  8. #18
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    OK.... I figured..... Screw this.....

    If I can't understand the Iranian I can see what it is actually doing via Ethereal 'cos my server speaks english........

    The dump shows that it is simply looking for scripts or files in the scripts dir that are known vulnerable, MSADC exploits, and all the other nice little ones that come with a code red/nimda event. Though when it tries to exploit cmd.exe vulnerabilities it seems to issue strange commands, (I'm guessing it's english written arabic commands for cmd.exe).

    [EDIT]

    Duh..... It's issuing echo commands and the subsequent text is english written arabic..... Sometimes my lack of observation astounds even me.....<s>

    [/EDIT]

    Needless to say my server replied with "404 - Object not found" for each event thus indicating "Asib Pazir Nist" really does mean "Not Vulnerable" therefore indicating that it found some vulnerability on DJM's server.

    Basically if your permissions are set correctly and you are not previously compromised, (cmd in the scripts dir for example), this tool isn't much different to any other skiddie scanner.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  9. #19
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Originally posted here by Tiger Shark
    Needless to say my server replied with "404 - Object not found" for each event thus indicating "Asib Pazir Nist" really does mean "Not Vulnerable" therefore indicating that it found some vulnerability on DJM's server.
    Thanks for the work Tiger, I likely won't look into what is wrong with that IIS server for two reason (well this will make it three) it's behind the firewall, it's old and is scheduled to be upgraded and ported to Apache. The fact it's a vulnerable piece of crap may speed up the process of replacing it.


    Cheers:, I owe ya a beer.
    DjM

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    DJM..... Glad to have helped you with your Piece of Crap.....LOL

    Labbats Blue is my poison of choice and if you are near Detroit I can give you the address of my hangout and you can buy it in person....

    Tiger Shark, (Who has _never_ been known to turn down a beer)
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •