DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 8 of 8

Thread: Site Break IN

  1. #1
    Savage Guest

    Site Break IN


    Below is the log file from someone trying to break in. What are they trying
    to do.
    Thanks For any help.
    Savage

    2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    /c+dir 404 -
    2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    /c+dir 404 -

  2. #2
    Matt Liotta Guest

    Re: Site Break IN

    Execute arbitrary commands on your system. This is a known exploit for IIS.

    -Matt

    "Savage" <vondras@enteract.com> wrote in message
    news:3b34f65c$1@news.devx.com...
    >
    > Below is the log file from someone trying to break in. What are they

    trying
    > to do.
    > Thanks For any help.
    > Savage
    >
    > 2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%pc../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%9v../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%qf../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%8s../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..o../winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > /c+dir 404 -
    > 2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..??../winnt/system32/cmd.exe
    > /c+dir 404 -




  3. #3
    Michael Howard Guest

    Re: Site Break IN


    it's the unicode 'sploit.


    "Savage" <vondras@enteract.com> wrote:
    >
    >Below is the log file from someone trying to break in. What are they trying
    >to do.
    >Thanks For any help.
    >Savage
    >
    >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -



  4. #4
    Eli Allen Guest

    Re: Site Break IN

    No, its UTF-8

    Eli Allen

    "Michael Howard" <mikehow@microsoft.com> wrote in message
    news:3b3a5749$1@news.devx.com...
    >
    > it's the unicode 'sploit.
    >
    >
    > "Savage" <vondras@enteract.com> wrote:
    > >
    > >Below is the log file from someone trying to break in. What are they

    trying
    > >to do.
    > >Thanks For any help.
    > >Savage
    > >
    > >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%pc../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%9v../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%qf../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..%8s../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..o../winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET

    /winnt/system32/cmd.exe
    > >/c+dir 404 -
    > >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET

    /scripts/..??../winnt/system32/cmd.exe
    > >/c+dir 404 -

    >




  5. #5
    Stephen Guest

    Re: Site Break IN


    This person obviously has read about the Unicode exploit in IIS4.0 and 5.0
    and is trying it out on yout webserver. Only thing is, the exploit has many
    possible forms owing to the different unicode tables available. Looks like
    he/she is trying them out one by one, trying to see which one(s) work.

    Go get the patch from microsoft.

    If you cannot find it, let me know :-)



    "Savage" <vondras@enteract.com> wrote:
    >
    >Below is the log file from someone trying to break in. What are they trying
    >to do.
    >Thanks For any help.
    >Savage
    >
    >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -



  6. #6
    Stephan Blanchard Guest

    Re: Site Break IN


    The guy is just trying to see if there are any security holes in the web server.
    if he successfully manages to execute cmd.exe he knows that there is a hole.

    "Savage" <vondras@enteract.com> wrote:
    >
    >Below is the log file from someone trying to break in. What are they trying
    >to do.
    >Thanks For any help.
    >Savage
    >
    >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -



  7. #7
    VN Guest

    Re: Site Break IN


    Looks like they are trying to get to your IIS server and finding out whether
    the remote cmd invocation bug has been fixed on your server or not.

    "Savage" <vondras@enteract.com> wrote:
    >
    >Below is the log file from someone trying to break in. What are they trying
    >to do.
    >Thanks For any help.
    >Savage
    >
    >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -



  8. #8
    olo bradshaw Guest

    Re: Site Break IN


    Here is some information on the logs:

    Date of attack : 06/21/2001 (mm/dd/yyyy)
    Time of Attack : 10:18PM
    Source Of Attack : 24.19.216.36
    Destination Address Of Attack : 65.114.73.230
    Destination Port Of Attack : 80
    Attack Name : Microsoft IIS 5.0/4.0
    UNICODE Vulnerability
    Attack Description : The reported attack
    uses a vulnerability
    in Micrsoft IIS to
    traverse directories
    outside of the webroot
    this allows an attacker
    to gain anonyomous access
    to the system running the
    webserver.
    Advisory Number (MICROSOFT) : Q269862
    Date of Advisory : 08/26/2000 (mm/dd/yyyy)


    Hope this helps just a little.
    ------o1o
    "Savage" <vondras@enteract.com> wrote:
    >
    >Below is the log file from someone trying to break in. What are they trying
    >to do.
    >Thanks For any help.
    >Savage
    >
    >2001-06-21 22:18:32 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:13 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%pc../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:17 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%9v../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:20:29 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%qf../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..%8s../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:24 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:28 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /scripts/..o../winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:36 24.19.216.36 - 65.114.73.230 80 GET /winnt/system32/cmd.exe
    >/c+dir 404 -
    >2001-06-21 22:21:41 24.19.216.36 - 65.114.73.230 80 GET /scripts/..../winnt/system32/cmd.exe
    >/c+dir 404 -



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center