Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: iis logfile .

  1. #1
    Junior Member
    Join Date
    Sep 2004
    Posts
    5

    Exclamation iis logfile .

    greetz all ,

    while looking through the firewall log and the iis log , i found this request which looks bad " I think ".

    have a look and tell me wht it is .

    80 HTTP/1.0 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a 400 - Hostname
    &
    HTTP/0.0 GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%u898b%u77e8%u0000%u0000%u838b%u0094%u0000%u408b%u0564%u0150%u0000%ue0ff%u9090=x&ë 400 - BadRequest

    I got Many of it in the error http... and its realy new to me , i usualy get the other old stuff,

    like : HTTP/1.0 HEAD /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir+c:\ 400 - URL

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    They are both attempts to overflow buffers. The default ida is code red IIRC and has been around for ever. The null.ida I don't recall seeing but if it's new it isn't very effective since they both threw back a 400 error code.

    I wouldn't worry too much... Internet noise generated by a worm or worms.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Sep 2004
    Posts
    5
    rgr ,

    Thanks , just wanted to know wht is it .
    as i told u found them in the httperr logz . but it pulled ma attention .
    mOO

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    The first one is indeed CodeRed. The second one I don't recognise. Both seem to use the same bug in ida.dll which was patched about 3 years ago.

    The last line could be Nimda or some scriptkiddie. Both are trying to abuse the extended unicode bug. This was also patched about 3 years ago.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    the first two are the overflows the last is the actual directory transversal attempt.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    the first two are the overflows the last is the actual directory transversal attempt.
    How do you mean that? Do you mean that the trversal is the subsequent act to the overflow? If so that isn't correct. Either function perfectly well on a vulnerable machine. The overflow executes the code at the end of the overflow padding while the traversal takes place on an unpatched and/or unsecured machine.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    Looks like none of them worked wich is a positive, im guessing that your running IIS 5, do yourself a favor and get URLScan from microsoft it will strip that stuff off of the url before it can hit the server.
    Who is more trustworthy then all of the gurus or Buddha’s?

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    The first two:
    http://www.securityfocus.com/bid/2880/info/

    The last line:
    http://www.securityfocus.com/bid/2708/info/

    Which, incidently, opened up after you installed a patch for this one:
    http://www.securityfocus.com/bid/1806

    Man, I had to look really hard. It's been a while (3-4 years) since I bothered with 'm.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by bballad
    Looks like none of them worked wich is a positive, im guessing that your running IIS 5, do yourself a favor and get URLScan from microsoft it will strip that stuff off of the url before it can hit the server.
    If you remove the .ida coupling in IIS and if you put your webroot on another drive (if windows is on C: put your webroot on D: ) neither of them will work. Even if you don't patch
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  10. #10
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    sirdice, this is very true and just standared good practices, but considering MS's security record I would rather strip obviously malformed url's before my webserver tried to parse them. In a perfect world you would have iis on another drive, only hav the extentions maped taht you needed, have the iwam user locked down and strict ntfs permisions accross the whole box. Then some new ms exploit inharent in the server would be found by script kiddies and you would get compromised.
    Never rely on one method to secure your servers, stirp out those malformed URL's...its a free tool and rather easy to setup.
    Who is more trustworthy then all of the gurus or Buddha’s?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •