-
September 29th, 2004, 10:35 AM
#1
Junior Member
iis logfile .
greetz all ,
while looking through the firewall log and the iis log , i found this request which looks bad " I think ".
have a look and tell me wht it is .
80 HTTP/1.0 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 - Hostname
&
HTTP/0.0 GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&ë 400 - BadRequest
I got Many of it in the error http... and its realy new to me , i usualy get the other old stuff,
like : HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL
-
September 29th, 2004, 10:55 AM
#2
They are both attempts to overflow buffers. The default ida is code red IIRC and has been around for ever. The null.ida I don't recall seeing but if it's new it isn't very effective since they both threw back a 400 error code.
I wouldn't worry too much... Internet noise generated by a worm or worms.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 29th, 2004, 12:12 PM
#3
Junior Member
rgr ,
Thanks , just wanted to know wht is it .
as i told u found them in the httperr logz . but it pulled ma attention .
-
September 29th, 2004, 04:07 PM
#4
The first one is indeed CodeRed. The second one I don't recognise. Both seem to use the same bug in ida.dll which was patched about 3 years ago.
The last line could be Nimda or some scriptkiddie. Both are trying to abuse the extended unicode bug. This was also patched about 3 years ago.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 29th, 2004, 04:23 PM
#5
the first two are the overflows the last is the actual directory transversal attempt.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
September 29th, 2004, 04:41 PM
#6
the first two are the overflows the last is the actual directory transversal attempt.
How do you mean that? Do you mean that the trversal is the subsequent act to the overflow? If so that isn't correct. Either function perfectly well on a vulnerable machine. The overflow executes the code at the end of the overflow padding while the traversal takes place on an unpatched and/or unsecured machine.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
September 29th, 2004, 04:41 PM
#7
Looks like none of them worked wich is a positive, im guessing that your running IIS 5, do yourself a favor and get URLScan from microsoft it will strip that stuff off of the url before it can hit the server.
Who is more trustworthy then all of the gurus or Buddha’s?
-
September 29th, 2004, 04:53 PM
#8
The first two:
http://www.securityfocus.com/bid/2880/info/
The last line:
http://www.securityfocus.com/bid/2708/info/
Which, incidently, opened up after you installed a patch for this one:
http://www.securityfocus.com/bid/1806
Man, I had to look really hard. It's been a while (3-4 years) since I bothered with 'm.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 29th, 2004, 04:56 PM
#9
Originally posted here by bballad
Looks like none of them worked wich is a positive, im guessing that your running IIS 5, do yourself a favor and get URLScan from microsoft it will strip that stuff off of the url before it can hit the server.
If you remove the .ida coupling in IIS and if you put your webroot on another drive (if windows is on C: put your webroot on D: ) neither of them will work. Even if you don't patch
Oliver's Law:
Experience is something you don't get until just after you need it.
-
September 29th, 2004, 08:35 PM
#10
sirdice, this is very true and just standared good practices, but considering MS's security record I would rather strip obviously malformed url's before my webserver tried to parse them. In a perfect world you would have iis on another drive, only hav the extentions maped taht you needed, have the iwam user locked down and strict ntfs permisions accross the whole box. Then some new ms exploit inharent in the server would be found by script kiddies and you would get compromised.
Never rely on one method to secure your servers, stirp out those malformed URL's...its a free tool and rather easy to setup.
Who is more trustworthy then all of the gurus or Buddha’s?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|