Have I been missing something?????
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Have I been missing something?????

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Have I been missing something?????

    While this is a standard attempt at directory traversal I have never noticed this particular strings, ("ø€€€¯") in the attempt. Is this new or have I just not been graced by this little nasty before? Or are my powers of observation failing.......

    2003-05-01 05:50:51 Daemon.Info XXX.XXX.XXX.XXX May 1 05:50:51 My Server <009>2003-05-01 09:50:49 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)

    2003-05-01 05:50:51 Daemon.Info XXX.XXX.XXX.XXX May 1 05:50:51 My Server <009>2003-05-01 09:50:50 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)

    2003-05-01 05:51:01 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:01 My Server <009>2003-05-01 09:50:57 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ð€€¯../..ð€€¯../..ð€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)

    2003-05-01 05:51:01 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:01 My Server <009>2003-05-01 09:50:58 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ü€€€€¯../..ü€€€€¯../..ü€€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)

    2003-05-01 05:51:06 Daemon.Info XXX.XXX.XXX.XXX May 1 05:51:06 My Server <009>2003-05-01 09:51:01 216.185.74.XXX - XXX.XXX.XXX.XXX 80 GET /msadc/..ø€€€¯../winnt/system32/cmd.exe /c+dir+c:\ 404 Mozilla/3.0+(compatible)
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Re: Have I been missing something?????

    It's probably a unicode string. Something like %c1%c9 will create these characters. It's know as the unicode exploit and virusses like Nimda use it to break out of the webroot and into your winnt directory.

    Unfortunately unicode has several different encodings for / and \ . Someone is probably using a different set then usual to evade detection by IDS's.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I've heard rumors of a new Code Red. Could this be it?

    Pop GET /msadc/..ø€€€¯../..ø€€€¯../..ø€€€¯../winnt/system32/cmd.exe into google and you should see a few hits, one from a specifc IIS maillist/forum thread.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Originally posted here by MsMittens
    I've heard rumors of a new Code Red. Could this be it?
    Code Red uses a buffer overflow in ida.dll. As such it only uses something like blahblah.ida?<overflow> to launch it's attack. And yes, the rumours are true. As far as I know there are 3 versions of code red. The lastest incarnation doesn't seem to have the drop-dead date (20th of every month). It also doesn't attack that 1 ip of www.whitehouse.gov anymore.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Seems like I have missed it or it hasn't come my way in the past. Some of the google hits are dated 6/2002 so I guess this encoding has been around a while but it doesn't appear to be really common.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403

    Simpel trick to thwart Nimda

    Just a quick and simpel tip:

    Install Windows+IIS like you normaly would on c:

    Go to the Internet Information Server admin tool.

    Disable the default web site.
    Create a new web site and set it's webroot on D: (or any other drive except c: )

    Tada. Nimda can still break out of the webroot but there's no way to get to the winnt dir. So nimda cannot do any damage. This also prevents future (still to be found) ../ tricks.

    I've use this trick to catch some ugly users.

    On D: I created the same structure as on c: ( \inetpub\wwwroot )
    Also on D: I created a winnt\system32 dir. Then I made a simpel executable, named it cmd.exe and put it in d:\winnt\system32. When someone uses the unicode exploit. They get *my* executable and not the real cmd.exe. It just showed a simpel html message stating they were logged and would be hunted down. It scared the **** out of them
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Nice Dice...... (wow, I'm a poet and I didn't know it..... )

    Now that's funny...... You're evil....... Love it.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Also on D: I created a winnt\system32 dir. Then I made a simpel executable, named it cmd.exe and put it in d:\winnt\system32. When someone uses the unicode exploit. They get *my* executable and not the real cmd.exe. It just showed a simpel html message stating they were logged and would be hunted down. It scared the **** out of them
    SirDice

    how can I build a similiar cmd.exe on my server? I'd like to have a customized html message and have it audited for this type of attack.
    smilies are ON

  9. #9
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    its not to hard I did this on my apache web server...only the html page contained a .pl script (and I was note very nice about it).

    Basicly build a file called cmd.exe (make sure your webserver will recognize .exe's as an html file, or in my cas a .pl file and deal with it appropriately). USe your favorit editor to build the page in HTML (be it VI or notepad or frontpage) then save it. Rename it t ocmd.exe and put it in the appropriate place.
    Who is more trustworthy then all of the gurus or Buddha’s?

  10. #10
    Senior Member
    Join Date
    Apr 2003
    Posts
    147
    simply beutiful SirDice, though I'd only probably implement your idea bballad. hehe.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •