It's time again to ask the group for some assistance with interpretation of web logs and snort alerts. There was some funny activity on the web farm. I noticed a couple "ATTACK RESPONSES-http dir listing" attacks on some of our web servers, queueing me in to the fact that the servers in question were not patched against a Unicode-type vulnerability. I found the offending IP, and tracked it back to a broadband home connection. I think with reasonable certainty that the attack was not spoofed (because of the nature of TCP and the fact that he received a response from the web server); however, I cannot rule out the possibility of the host being compromised. Knowing this, I reported it to our ISP and blocked access immediately, and began to analyze the logs more closely. The web logs are continuous, so I am assuming that they are intact, though they may be suspect. There are no lapses in time, and the logs appear to be fairly contiguous. I also noticed that the attack was scripted, as there were many WEB-IIS SAM RETRIEVAL attempts interspersed with the Unicode strings, all happening in less than 10 seconds. The log entries of the first server are below. Web log entries: 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321 31 HTTP/1.1 63.241.137.233 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - - 2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET /scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321 31 HTTP/1.1 63.241.137.233 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - - This is an IIS 5.0/Win2k Server with SP2 and Latest Hotfixes per HFNETCHECK, which I thought would preclude this server from being vulnerable to a Unicode-type attack. The only thing that has not been done is running URLSCAN and IISLOCKDOWN. Obviously, these will be my steps for patching the servers, but I would like to ask for some assistance with replicating the attack. INTERESTING NOTE: The web logs indicate that the URL Requested was (correct me if I'm wrong) http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir (possibly with a c:\ at the end). When running this URL against the server, it produces a 404 error on the server rather than listing the drive contents. The snort logs (Snort/MySQL/PHP/ACID/Apache) indicate that the URL was http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir . I guess my question is three-fold: 1) Does the IIS server "decode" the string before logging it to the web logs? 2) Does the Snort IDS "decode" the string before logging it to MySQL? 3) Since there are few (if any) thorough Unicode scanners, is it possible to write a perl script that could check for all possible Unicode variants on a given web server to test the effectiveness of the URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)? I have some "shell" programs like uni.pl, but am a little confused about how to generate all of the possible combinations. If you guys can provide any assistance with this, it would be great. If not, thanks for taking the time to read the post. Have a good one! -Jeremy ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 13 2002 - 09:28:14 PST