[Snort-users] web iis attack

Gray . Brendan bgray2 at ...3738...
Fri Oct 25 08:26:07 EDT 2002

I've tried the IIS Lockdown tool, and it looks very promising.  Haven't used
it on a production server yet, but I will be soon.  

I've noticed a trend in web attacks lately.  The usual level of "noise" has
been going down.  (noise = generic nimda)  Instead, once a week or so, one
of my servers will get totally hammered by one IP address.  It will be code
red II, nimda, and a whole bunch of stuff that I've never seen before.  The
hammering will last 30 minutes or so, then die off.  In cases like these I
excerpt the offending IP from my server logs and send it to the abuse
department of their ISP.  All I've gotten so far is an automated response,
but I can't just ignore stuff like this.

I have IIS servers and the attacks are mostly buffer overflow stuff, but
they'll throw in a bunch of %2E%2E%2E and an /etc/passwd?/c+dir+c:\ at the
end.  Not sure what they're trying to accomplish, but its getting on my last
nerves, and making me wonder if there's something new out.

Brendan Gray

-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld at ...131...]
Sent: Friday, October 25, 2002 10:57 AM
To: Security Admin; user snort
Subject: RE: [Snort-users] web iis attack

Hi Guys,

Thanks to all who responded to my email (question).
AFAIK, my IIS server was patched with SP6a and
cummulative patch for the IIS.

I installed also on my linux box (apache+frontpage
extension) and I got the same attacked but the payload
say that "connection closed".  It is annoying because
in ISS payload in Acid it showed my External IP Add. 
and I dont know if this successful or not.

Thanks again for the insight of this matter.

I'm completely blind because It does not log it on my
IIS LOG.  Tell you frankly I'm not expert on IIS.

Any tips to improve my security on my win nt box will
be highly appreciated.

Your brother in Snort.

--- Security Admin <SecurityAdmin at ...7235...>
> Hi Alwin, this is a directory traversal attack (like
> code red). You can try
> it yourself by putting the line in the IIS logs into
> your browser and
> prepending your domain name. If you are on anything
> other than a windows
> platform (with iis/pws so server, pro etc) this
> attack will have no effect.
> If you are on a windows platform hopefully you have
> applied all the security
> patches and SP3.
> The %c1%1c will convert to some character....likely
> the \
> /samples/check.bat/../../../winnt/system32/cmd.exe?/
> I don't know what the c+dir? converts to but the
> attack is trying to run
> check.bat in your iissamples directory, and then
> execute cmd.exe (your
> command prompt).
> These attacks are very common, I've noticed more
> this past 2 weeks, can't
> remember exactly but something about the 19th of the
> month and code red or
> nimda....
> Hopefully you have completed basic IIS hardening on
> your box which protects
> you from most of this...
> Wayne
> -----Original Message-----
> From: Alwin Raymundo [mailto:alrayworld at ...131...] 
> Sent: Friday, October 25, 2002 5:55 AM
> To: user snort
> Subject: [Snort-users] web iis attack
> Hi Guys,
> I got a massive attack from one IP doing something
> on
> my one IIS server.  I already post it, some say that
> I
> should look at the iss log files if they succeded
> getting in or not.
> Almost a week I puzzled my self because the snort
> detect it and log the packets and everything while
> on
> ISS log there is nothing. Absolutely nothing.
> BTW, here are the sample logs in snort 
> dir+c:\
> HTTP/1.0..Host: xxx.xx.xx.91
> Is there any software or utilities that can do this?
> let me know because I want to try it myself.
> I need your help guys.
> Thanks in Advance
> Your brother in snort 
> =====
> Alwin Raymundo

More information about the Snort-users mailing list