Re: Wave of Nimda-like hits this morning?

From: security (security_traqat_private)
Date: Tue Feb 26 2002 - 17:14:46 PST

Next message: Greg Williamson: "RE: Wave of Nimda-like hits this morning?"

Previous message: Bradley, Tony: ""Nimda"?"
In reply to: Ralph Los: "Wave of Nimda-like hits this morning?"
Next in thread: Erick Brockway: "Re: Wave of Nimda-like hits this morning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

the GET command your recieving is an old decode exploit thats still
vulnerable as far as i am aware(iis4.0+). it allows any user to run programs
as IUSR_MACHINENAME on windows boxes. so if they did something like:
http://www.yoursite.com/msadc/..%255c..%255c..%255c..%255cwinnt/system32/cmd
.exe?/c+dir+c:\
(the %5c../ are just %255c broke down by the server)
you would get a listing of C:\. I've written a proof of concept to test
machines with  http://statik.countercultured.net

----- Original Message -----
From: "Ralph Los" <RLosat_private>
To: <incidentsat_private>
Sent: Tuesday, February 26, 2002 9:46 AM
Subject: Wave of Nimda-like hits this morning?


Hey,
I've had multiple clients' Solaris boxes crashing this morning from
what appears to be a Nimda-like 'scripts/..%5c../root.exe', and the usual.
The same old unicode characters are present [%2f, %5c] but a new one has
appeared I haven't seen yet.  This line:

'
/msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe '

appears a few times and I'm not quite sure what to make of it...

Please keep in mind that came from a Solaris box, Apache log.
Whatever this (maybe) new bug is, it's blowing up these boxes left and
right...can't figure it out.  They're all relatively new 1.3'ish versions I
think.

Anyone else seeing anything weird?

----------------------------------------|
Ralph M. Los
Sr. Security Consultant and Trainer
          EnterEdge Technology, L.L.C.
          rlosat_private
          (770) 955-9899 x.206
----------------------------------------|


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Greg Williamson: "RE: Wave of Nimda-like hits this morning?"
Previous message: Bradley, Tony: ""Nimda"?"
In reply to: Ralph Los: "Wave of Nimda-like hits this morning?"
Next in thread: Erick Brockway: "Re: Wave of Nimda-like hits this morning?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 18:26:33 PST