('binary' encoding is not supported, stored as-is) In-Reply-To: <20020104192111.15122.qmailat_private> This appears to just be a webserver used by Yahoo IM to xfer files; check your IM preferences for file xfer options (which includes a path to virus scanner executable). The default port appears to be port 80 so Code Red, Nimda and all usual scans will be hitting this baby and showing up in the Yserver.log. There could be some options for attack here but I've yet to explore them. I tried to manually grab a file using the fomat shown in Yserver.log; I sent a file to myself and it looks like the file was checked first (Head image/jpeg) and then sent. Myname618 is my (sanitized) yahoo email address, not sure what the 1010383053484 is, but acid_test.jpg is the file I sent. Could be some options for something other than /Messenger as the initial connection string and AppID=Messenger. Could be a way to spoof usernames here; not sure what the K=lc9lid is in this case, needs more analysis when I have more time. The HEAD request: 01/06/102 23:57:42.593 01/06/102 23:57:42.625 00:00:00.032 192.168.1.2 Head image/jpeg /Messenger.myname618.1010383053484ac id_test.jpg 200 0 .jpg HEAD /Messenger.myname618.101038305 3484acid_test.jpg? AppID=Messenger&UserID=myname618&K=lc9lid HTTP/1.1 Accept: */* User-Agent: Mozilla/4.01 [en] (Win95; I) Host: 192.168.1.2 Content-Length: 0 Cache-Control: no-cache The GET request: 01/06/102 23:57:42.640 01/06/102 23:57:42.796 00:00:00.156 192.168.1.2 Get image/jpeg /Messenger.myname618.1010383053484ac id_test.jpg 200 249051 .jpg GET /Messenger.myname618.1010383053 484acid_test.jpg? AppID=Messenger&UserID=myname618&K=lc9lid HTTP/1.1 User-Agent: Mozilla/4.01 [en] (Win95; I) Host: 192.168.1.2 Connection: Keep-Alive I tried a basic directory traversal, as well as manually pasting one of the requests from the logfiles into a "telnet localhost 80" and received this: HTTP/1.0 550 Failed on redirect Server: Y! Running Yserver.exe directly brings up a "Component Server" window. The only intelligble strings I can see from viewing the EXE are .text .rdata .data .rsrc Probably some room for explotation somewhere in here, but I don't have time to mess with it. Have fun, let me know what you come up with if anything. CWsecgeek
This archive was generated by hypermail 2b30 : Mon Jan 07 2002 - 10:49:09 PST