RE: ncacn_http/1.0

From: McCammon, Keith (Keith.McCammonat_private)
Date: Thu Mar 07 2002 - 10:19:57 PST

Next message: Ilici Ramirez: "Social Engineering Formal Methodology"

Previous message: Fernando Rodriguez: "RE: iis server strings vs. patch level"
Maybe in reply to: theGoooat_private: "ncacn_http/1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

That's probably not good.  Ncacn_http allows client/server applications
to communicate via the internet (or any IP network) by using IIS to
"proxy" the requests.  Thus, an application that would normally be
prevented from accessing the internet could be piped out a public IP on
port 80 (in the case of ncacn_http, anyway).  The port on which the host
is listening is somewhat irrelevant, as port 80 only needs to be open on
the IIS server that is acting as the application proxy.  

This is oversimplified, and I've certainly left out most of the details,
but this is basically what ncacn_http is used for.  

Keith

-----Original Message-----
From: theGoooat_private [mailto:theGoooat_private]
Sent: Thursday, March 07, 2002 5:37 AM
To: incidentsat_private; pen-testat_private
Subject: ncacn_http/1.0



 I have been getting Nimda like scans from different hosts this morning.


	
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN
	scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir
	_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe
	/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir

 When I checked these hosts, I found that they have some ports that
display "ncacn_http/1.0" when you connect to them. Is this Netcat or
something else? 
 BTW, all these servers don't have a port 80 open and they are windows
machines.

Regards,
Sameh
========================================
Sameh Y. Farag
Security Engineer
Internet Security Systems - Middle East
Tel:        +2 02 7607011
Fax:        +2 02 7607013
<http://www.iss.net/>
The power to protect
======================================== 


__________________________________________________
Manage your Hotmail with ANY email application:
Get Pop3Hot at <http://pop3hot.com/main.htm>


------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ilici Ramirez: "Social Engineering Formal Methodology"
Previous message: Fernando Rodriguez: "RE: iis server strings vs. patch level"
Maybe in reply to: theGoooat_private: "ncacn_http/1.0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Mar 07 2002 - 12:32:20 PST