IIS Admins Beware - Get your systems patched

There is a new exploit scanner called MehIIS (changed the name so it cannot be Google'd) which does the following:

This file allows you to scan any Windows 2000 Server (IIS 4.0/5.0) to see if the server is vulnerable or not and will show you the Exploits Link. All you have to do is to copy and paste the Exploit in to your browsers address-bar and your in. Demo supports 28 out of 255 well known exploit for win2k & NT.

WoOt to the script K!dD!3s...

I am not posting a URL for obvious reasons. If you want more info PM me.

will normal windows update patches suffice, or is there a special patch (i'm pretty sure i've already taken care of this... but i wanna be certain)

SickYourIT: Well you only have to worry about this tool if you have an IIS server. I am not sure yet on what expliots it uses.

well, for those who do use IIS. I think that the patch came out the day Bush came on TV and gave Iraq 48 hours. Not sure, though

CXG: Well..... I dunno if it's me or what but it seems to do nothing whatsoever. (I have a theory but I'll expand on my lack of knowledge in a sec.)

I scanned it in the zip and scanned it after unpacking, (I mentioned belt and suspenders right, <LOL>). I executed it by double clicking in explorer on a machine that has a HIDS on it and was being watched by Ethereal. Got the old DOS window flash up.... ok, it's not GUI. Nothing from HIDS, nothing from Ethereal.

I opened a DOS window and executed it with -h, /? and help switches..... nothing. Nothing from HIDS, nothing from Ethereal. It doesn't come with a lot of docs....<s>

Executed it with a fake web page address. Nothing. Nothing from HIDS but I got an absolutely standard DNS request to my default DNS server for the fake address. So something in there works.....<s>

Ok.... Now I'm fed up so I unpack it in a hex editor and this is where my lack of knowledge comes in. It's very first line says "This program cannot be run in DOS mode" just like the old proggies used to say "This program cannot be run under Windows" all those years ago. Is that normal for something that only seems to do anything in DOS. This is a newish file by the way 'cos it claims to have been last modified a few days ago.

Further down in the dump there are references to some windows APIs and then finally one for Perl...... I never played with perl but I think I need some kind of proggie here for my system to be able to run Perl stuff..... Or am I wrong and this thing simply doesn't like me?????

Quote:

---

Originally posted here by Tiger Shark
CXG: Well..... I dunno if it's me or what but it seems to do nothing whatsoever. (I have a theory but I'll expand on my lack of knowledge in a sec.)

I scanned it in the zip and scanned it after unpacking, (I mentioned belt and suspenders right, <LOL>). I executed it by double clicking in explorer on a machine that has a HIDS on it and was being watched by Ethereal. Got the old DOS window flash up.... ok, it's not GUI. Nothing from HIDS, nothing from Ethereal.

I opened a DOS window and executed it with -h, /? and help switches..... nothing. Nothing from HIDS, nothing from Ethereal. It doesn't come with a lot of docs....<s>

Executed it with a fake web page address. Nothing. Nothing from HIDS but I got an absolutely standard DNS request to my default DNS server for the fake address. So something in there works.....<s>

Ok.... Now I'm fed up so I unpack it in a hex editor and this is where my lack of knowledge comes in. It's very first line says "This program cannot be run in DOS mode" just like the old proggies used to say "This program cannot be run under Windows" all those years ago. Is that normal for something that only seems to do anything in DOS. This is a newish file by the way 'cos it claims to have been last modified a few days ago.

Further down in the dump there are references to some windows APIs and then finally one for Perl...... I never played with perl but I think I need some kind of proggie here for my system to be able to run Perl stuff..... Or am I wrong and this thing simply doesn't like me?????

---

I too gave it a try with pretty much the same results. Really gave me nothing other than:

Quote:

---

<< SERVER MS-IIS NADARAD >>

---

Now I am not sure what I am suppose to gain from that.

Cheers:

I actually use this type of app. to secure my ISS servers that I adminstrate. Nothing wrong with the application, only wrong is to what use you will put it too. The one I have checks for about 20,000 vulernabilities and is called N Stealh .

Here is a vulenerability scanner review.
http://archive.devx.com/security/art...I/MS0102-3.asp

DJM: I reran it against a real web site, (one of my own), and got the following reply:

www.mydomain.com: Asib Pazir Nist

Do we have any speakers of Arabic out there that can make a bit of sense out of this for us non-arabic types?

Quote:

---

Originally posted here by Tiger Shark
Do we have any speakers of Arabic out there that can make a bit of sense out of this for us non-arabic types?

---

Tiger: I found an online Arabic translator HERE but those words don't translate. Are we even sure they are words?


Cheers:

hmmm... I did (in DOS) tool.exe ip Address and it came up with a little text.

Quote:

---

Originally posted here by Tiger Shark
DJM: I reran it against a real web site, (one of my own), and got the following reply:

www.mydomain.com: Asib Pazir Nist

Do we have any speakers of Arabic out there that can make a bit of sense out of this for us non-arabic types?

---

I did a search with google and found the following site: http://www.iranian.com/May96/Opinion/GolAgha.html

Quote:

---

Note: A common Iranian is usually referred to as Asib Pazir or "vulnerable" because he or she is vulnerable to inflationary pressures.)

---

So vulnerable.. something..

Quote:

---

Originally posted here by CXGJarrod
hmmm... I did (in DOS) tool.exe ip Address and it came up with a little text.

---

I get the same response with either IP address or domain name.

Quote:

---

<< SERVER MS-IIS NADARAD >>

---

:confused:

Cheers:

DjM: same here. I just tryed it on a default installation of IIS and it did the same thing. Well maybe its not as useful as I originally thought.

Results for me: << Ip Address Asib Pazir Nist >>

One search of NADARAD brought up the word morality (although I'm not sure if it has the same meaning). Guessing I might guess that it means it's secure or safe.

Have you checked to see if this "tool" isn't, in fact, sending information out?

MsM: I hate to say this without confirmation but I'll make a wild @$$ed guess that nist is Iranian for "not". It would fit with your research making the entire phrase "vulnerable not" and it is not unusual to have the negative after the verb in many languages. Also many languages negatives begin with "n".

[EDIT]

with regard to it sending info out: I was watching my machine with a HIDS and Ethereal and the server has HIDS too...... NOT a peep from either that is suspicious unless it has scheduled it but I have no additiona processes or services running.

[/EDIT]

That coupled with the fact I ran some other tools against that particular server this am to see if I was missing any patches and it came up good would further imply that the phrase means not vulnerable.

DJM: if i am right above, and looking at the syntax of the message it gave you, I would take a look at that server if it is open to the public. If I am right that my phrase means "not vulnerable" then logically yours implies "vulnerable"..... :eek:

CXG: I ran it against my same domain but only using the IP and got my same message back. Then I ran it against an IP with no web service and it came back with "Irad az Connection".... I think we can all guess that one....LOL

[EDIT]

What service pack and patch level are you running though. If they are only giving us 28 out of 255 a simple SP3 might block the 28 holes

[/EDIT]

Quote:

---

Originally posted here by MsMittens
Have you checked to see if this "tool" isn't, in fact, sending information out?

---

netstat shows no unusual connections, and my firewall is functioning and not complaining. I don't think the tool is trying to phone home.

Cheers:

Quote:

---

Originally posted here by Tiger Shark
DJM: if i am right above, and looking at the syntax of the message it gave you, I would take a look at that server if it is open to the public. If I am right that my phrase means "not vulnerable" then logically yours implies "vulnerable"..... :eek:

---

We don't have any IIS servers open to the public, they are all behind the firewall and most are just development servers.

It would be nice if we could get a clear translation of what this tool is telling us, guessing could just lead to needless panic attacks :D

Cheers:

Doesnt look like the tool is living up to its description. I tried it on a default installation of IIS on a Win2k Service Pack 3 Box and it gave the same message.

OK.... I figured..... Screw this..... :D

If I can't understand the Iranian I can see what it is actually doing via Ethereal 'cos my server speaks english........

The dump shows that it is simply looking for scripts or files in the scripts dir that are known vulnerable, MSADC exploits, and all the other nice little ones that come with a code red/nimda event. Though when it tries to exploit cmd.exe vulnerabilities it seems to issue strange commands, (I'm guessing it's english written arabic commands for cmd.exe).

[EDIT]

Duh..... It's issuing echo commands and the subsequent text is english written arabic..... Sometimes my lack of observation astounds even me.....<s>

[/EDIT]

Needless to say my server replied with "404 - Object not found" for each event thus indicating "Asib Pazir Nist" really does mean "Not Vulnerable" therefore indicating that it found some vulnerability on DJM's server.

Basically if your permissions are set correctly and you are not previously compromised, (cmd in the scripts dir for example), this tool isn't much different to any other skiddie scanner.

Quote:

---

Originally posted here by Tiger Shark
Needless to say my server replied with "404 - Object not found" for each event thus indicating "Asib Pazir Nist" really does mean "Not Vulnerable" therefore indicating that it found some vulnerability on DJM's server.

---

Thanks for the work Tiger, I likely won't look into what is wrong with that IIS server for two reason (well this will make it three) it's behind the firewall, it's old and is scheduled to be upgraded and ported to Apache. The fact it's a vulnerable piece of crap may speed up the process of replacing it.


Cheers:, I owe ya a beer.

DJM..... Glad to have helped you with your Piece of Crap.....LOL

Labbats Blue is my poison of choice and if you are near Detroit I can give you the address of my hangout and you can buy it in person....

Tiger Shark, (Who has _never_ been known to turn down a beer)

and the link is www.astalavista.com ... first one on top

Quote:

---

Originally posted here by Tiger Shark
if you are near Detroit

---

Detroit might be a bit of a stretch, but I'll keep it in mind, who's knows, might be a good security course there someday.


Cheers:

Did anyone run this tool against something that's known to be vulnerable? Something like an IIS5.0 without any service packs. That should start some bells ringing.

Well on Monday I will have a complete report on what this thing dose, just found out that one of my coworkers is Iranian...but he went home sick today so....Monday I will go through the program with him and see what it actually says.

We use Snort for IDS, and the ACID Html viewer to read the Snor logs. I am attaching a screenshot of the ACID report. I ran this tool from my workstation to an internal IIS server on our LAN.
In checking the Snort packet captures, this tool does try a lot of directory traversal exploits (against every default IIS virtual directory in the book!) and CMD.EXE calls. But to be honest, you could run any of the vulnerability scanners out there (like Retina from eEye) to get the same result.

Ok the output is in Persian… Well most of it at least. Its poorly written and I couldn’t get the stupid thing to find my server, but here is a translation of the strings we saw,
Asiab doesn’t seem to be a word...or at least not a Persian word its from a language that my middle eastern coworker was unfamiliar with but Pazir Nist is "not permited" Irad az is "problem connecting" this is all I got. and NARAD is "doesn’t exist" so it looks like none of the systems tested where vulnerable...but we tried a system that was a clean IIS 5 install, no patches or service packs on 2k and still got Irad az, it looks like a faulty program. No worries on this one.