Re: Unicode Logs with Ping Activity

From: Vitaly Osipov (vosipovat_private)
Date: Fri Jul 13 2001 - 02:39:28 PDT

  • Next message: James Edwards: "SANS Org Website"

    the probability of sources IPs being spoofed is very low, because in
    order to send a request to your IIS server, they had to establish a TCP
    connection, and this is a bit tricky thing to do when you try to spoof
    the source IP (not on unpatched NT, though :) )
    
    regards,
    Vitaly.
    
    myrddin_eat_private wrote:
    > 
    > Understood, and thanks for the detailed information. That is what I was
    > trying to learn!
    > 
    > Any one have an opinion as to the likelihood of the originating address
    > not being spoofed? I counted four unique addresses that used the system
    > for ping attacks over the course of 20 days.
    > 
    > DISCLAIMER: NO, this was not my server. YES, I do know that the patch for
    > Unicode was released with bulletin MS00-057. YES, I did read the FAQ before
    > posting. Geez guys, take pill.
    > 
    > At Tue, 10 Jul 2001 13:05:45 -0400 (EDT), Jordan K Wiens <jwiensat_private>
    > wrote:
    > 
    > >
    > >No, a 502 error is a bad gateway error; what happens is that your iis
    > >server is unpatched against the unicde exploits (one of them, at least)
    > >and
    > >is executing the command to ping a host.  Just recently there seems
    > >to be
    > >an increase in the number of hackers using vulnerable web servers for
    > >ddos
    > >like behavior using over-sized pings.
    > >
    > >When the ping command executes, it runs the pings, however, it (obviously)
    > >does not return complete html headers as its output (since ping was
    > >never
    > >meant to run via the web, its not supposed to run like a normal web
    > >executable). IIS notices this, and realizes that the script hasn't
    > >correctly executed, and lets you know with the 502 error.  If you actually
    > >look at the page, the results would read something like: "502 error;
    > >the
    > >application has not returned correct headers.  The headers it did return
    > >are:" and then IIS would procede to show the output of whatever had
    > >been
    > >shown.
    > >
    > >The error you want to see once a machine has been fully patched is usually
    > >a 404 error.
    > >
    > >--
    > >Jordan Wiens
    > >UF Network Incident Response Team
    > >(352)392-2061
    > Free, encrypted, secure Web-based email at www.hushmail.com
    > 
    >   ------------------------------------------------------------------------
    > 
    > ----------------------------------------------------------------------------
    > 
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see:
    > 
    > http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jul 13 2001 - 15:54:15 PDT