[Snort-users] web iis attack

Hicks, John JHicks at ...5857...
Fri Oct 25 09:28:06 EDT 2002


>I have IIS servers and the attacks are mostly buffer overflow stuff, but
>they'll throw in a bunch of %2E%2E%2E and an /etc/passwd?/c+dir+c:\ at the
>end.  Not sure what they're trying to accomplish, but its getting on my
last
>nerves, and making me wonder if there's something new out.

Considering /etc/passwd is for *nix, and they seem to be trying to dir+c:\,
I'll assume you have a *very* silly script kiddy or a scanner that has no
clue what attacks are relevent to which O/S.

As for URLScan, it's a decent tool, just be sure to test it before going
into procudtion. Some of it's settings will affect certain aspects like
specific directory naming conventions, blah blah.

my 2 cents,
JOhn

-----Original Message-----
From: Gray . Brendan [mailto:bgray2 at ...3738...]
Sent: Friday, October 25, 2002 11:26 AM
To: 'Alwin Raymundo'
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] web iis attack


I've tried the IIS Lockdown tool, and it looks very promising.  Haven't used
it on a production server yet, but I will be soon.  

I've noticed a trend in web attacks lately.  The usual level of "noise" has
been going down.  (noise = generic nimda)  Instead, once a week or so, one
of my servers will get totally hammered by one IP address.  It will be code
red II, nimda, and a whole bunch of stuff that I've never seen before.  The
hammering will last 30 minutes or so, then die off.  In cases like these I
excerpt the offending IP from my server logs and send it to the abuse
department of their ISP.  All I've gotten so far is an automated response,
but I can't just ignore stuff like this.

I have IIS servers and the attacks are mostly buffer overflow stuff, but
they'll throw in a bunch of %2E%2E%2E and an /etc/passwd?/c+dir+c:\ at the
end.  Not sure what they're trying to accomplish, but its getting on my last
nerves, and making me wonder if there's something new out.

Brendan Gray

-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld at ...131...]
Sent: Friday, October 25, 2002 10:57 AM
To: Security Admin; user snort
Subject: RE: [Snort-users] web iis attack


Hi Guys,

Thanks to all who responded to my email (question).
AFAIK, my IIS server was patched with SP6a and
cummulative patch for the IIS.

I installed also on my linux box (apache+frontpage
extension) and I got the same attacked but the payload
say that "connection closed".  It is annoying because
in ISS payload in Acid it showed my External IP Add. 
and I dont know if this successful or not.

Thanks again for the insight of this matter.

I'm completely blind because It does not log it on my
IIS LOG.  Tell you frankly I'm not expert on IIS.

Any tips to improve my security on my win nt box will
be highly appreciated.

Your brother in Snort.
 


--- Security Admin <SecurityAdmin at ...7235...>
wrote:
> Hi Alwin, this is a directory traversal attack (like
> code red). You can try
> it yourself by putting the line in the IIS logs into
> your browser and
> prepending your domain name. If you are on anything
> other than a windows
> platform (with iis/pws so server, pro etc) this
> attack will have no effect.
> If you are on a windows platform hopefully you have
> applied all the security
> patches and SP3.
> The %c1%1c will convert to some character....likely
> the \
> /samples/check.bat/../../../winnt/system32/cmd.exe?/
> 
> I don't know what the c+dir? converts to but the
> attack is trying to run
> check.bat in your iissamples directory, and then
> execute cmd.exe (your
> command prompt).
> These attacks are very common, I've noticed more
> this past 2 weeks, can't
> remember exactly but something about the 19th of the
> month and code red or
> nimda....
> Hopefully you have completed basic IIS hardening on
> your box which protects
> you from most of this...
> 
> Wayne
> 
> -----Original Message-----
> From: Alwin Raymundo [mailto:alrayworld at ...131...] 
> Sent: Friday, October 25, 2002 5:55 AM
> To: user snort
> Subject: [Snort-users] web iis attack
> 
> Hi Guys,
> 
> I got a massive attack from one IP doing something
> on
> my one IIS server.  I already post it, some say that
> I
> should look at the iss log files if they succeded
> getting in or not.
> 
> Almost a week I puzzled my self because the snort
> detect it and log the packets and everything while
> on
> ISS log there is nothing. Absolutely nothing.
> 
> BTW, here are the sample logs in snort 
> HEAD
>
/samples/check.bat/..%c1%1c..%c1%1c..%c1%1cwinnt/system32/cmd.exe?/c+dir?/c+
> dir+c:\
> HTTP/1.0..Host: xxx.xx.xx.91
> 
> Is there any software or utilities that can do this?
> let me know because I want to try it myself.
> 
> I need your help guys.
> 
> Thanks in Advance
> 
> Your brother in snort 
> 
> =====
> Alwin Raymundo
> 





-------------------------------------------------------
This sf.net email is sponsored by: Influence the future 
of Java(TM) technology. Join the Java Community 
Process(SM) (JCP(SM)) program now. 
http://ads.sourceforge.net/cgi-bin/redirect.pl?sunm0004en
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list