|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Server attack - info please?from his logfile. It appears someone is trying to get iis to run the command line interpreter. This raises a couple questions, and since I use apache I really don't know enough to answer them. 1) Will IIS actually run an exe file? 2) If so, how can such attacks be stopped? 3) I'm also wondering why GET / might result in a 500 error? Thanks for any help. Gene >>>>>> The Log file: 05:19:35 24.214.186.70 GET / 50006:18:40 24.4.168.26 GET / 500 07:10:02 24.7.32.109 GET /scripts/root.exe 404 07:10:02 24.7.32.109 GET /MSADC/root.exe 404 07:10:02 24.7.32.109 GET /c/winnt/system32/cmd.exe 404 07:10:02 24.7.32.109 GET /d/winnt/system32/cmd.exe 404 07:10:03 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 07:10:03 24.7.32.109 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500 07:10:03 24.7.32.109 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 07:10:03 24.7.32.109 GET /msadc/..%5c../..%5c../..%5c/..Á?../..Á?../..Á?../winnt/system32/cmd.exe 404 07:10:05 24.7.32.109 GET /scripts/..Á?../winnt/system32/cmd.exe 500 07:10:05 24.7.32.109 GET /scripts/winnt/system32/cmd.exe 404 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 07:10:06 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 1. If the server isn't secure..... yes
2. Secure the server (IIS Lockdown being an excellent utility in helping to do such) 3. Any number of reasons (incorrect parameter format etc etc etc) but it should actually be locked down and thus, reporting a 404 Show quoteHide quote "Gene" <n***@brightstar.ath.cx> wrote in message news:42a7001d$0$40894$8046368a@newsreader.iphouse.net... > A friend runs IIS on a windows XP system. The following is an excerpt > from his logfile. It appears someone is trying to get iis to run the > command line interpreter. This raises a couple questions, and since I > use apache I really don't know enough to answer them. > 1) Will IIS actually run an exe file? > 2) If so, how can such attacks be stopped? > 3) I'm also wondering why GET / might result in a 500 error? > > Thanks for any help. > > Gene > > >>>>>> The Log file: > 05:19:35 24.214.186.70 GET / 500 > 06:18:40 24.4.168.26 GET / 500 > 07:10:02 24.7.32.109 GET /scripts/root.exe 404 > 07:10:02 24.7.32.109 GET /MSADC/root.exe 404 > 07:10:02 24.7.32.109 GET /c/winnt/system32/cmd.exe 404 > 07:10:02 24.7.32.109 GET /d/winnt/system32/cmd.exe 404 > 07:10:03 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 07:10:03 24.7.32.109 GET > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500 > 07:10:03 24.7.32.109 GET > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 > 07:10:03 24.7.32.109 GET > /msadc/..%5c../..%5c../..%5c/..Á?../..Á?../..Á?../winnt/system32/cmd.exe 404 > 07:10:05 24.7.32.109 GET /scripts/..Á?../winnt/system32/cmd.exe 500 > 07:10:05 24.7.32.109 GET /scripts/winnt/system32/cmd.exe 404 > 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 > 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 > 07:10:06 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 On Wed, 08 Jun 2005 09:26:09 -0500, Gene <n***@brightstar.ath.cx>
wrote: >A friend runs IIS on a windows XP system. The following is an excerpt Yes, if proper permission is granted.>from his logfile. It appears someone is trying to get iis to run the >command line interpreter. This raises a couple questions, and since I >use apache I really don't know enough to answer them. > 1) Will IIS actually run an exe file? > 2) If so, how can such attacks be stopped? Don't grant permission for web accounts to EXE files you don't wantrun. Use a tool susch as URLScan to block the EXE extension, or in Server 2003 don't enable EXE as a web service extension. > 3) I'm also wondering why GET / might result in a 500 error? A 500 error is simply an internal error. Not allowing parent pathsfor example will cause this. Jeff Show quoteHide quote >Thanks for any help. > >Gene > > >>>>>> The Log file: >05:19:35 24.214.186.70 GET / 500 >06:18:40 24.4.168.26 GET / 500 >07:10:02 24.7.32.109 GET /scripts/root.exe 404 >07:10:02 24.7.32.109 GET /MSADC/root.exe 404 >07:10:02 24.7.32.109 GET /c/winnt/system32/cmd.exe 404 >07:10:02 24.7.32.109 GET /d/winnt/system32/cmd.exe 404 >07:10:03 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 >07:10:03 24.7.32.109 GET >/_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500 >07:10:03 24.7.32.109 GET >/_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 >07:10:03 24.7.32.109 GET >/msadc/..%5c../..%5c../..%5c/..Á?../..Á?../..Á?../winnt/system32/cmd.exe 404 >07:10:05 24.7.32.109 GET /scripts/..Á?../winnt/system32/cmd.exe 500 >07:10:05 24.7.32.109 GET /scripts/winnt/system32/cmd.exe 404 >07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 >07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 >07:10:06 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 Well, it seems to me like someone is trying to exploit the unicode bug of
IIS.. Show quoteHide quote "Gene" <n***@brightstar.ath.cx> wrote in message news:42a7001d$0$40894$8046368a@newsreader.iphouse.net... >A friend runs IIS on a windows XP system. The following is an excerpt from >his logfile. It appears someone is trying to get iis to run the command >line interpreter. This raises a couple questions, and since I use apache I >really don't know enough to answer them. > 1) Will IIS actually run an exe file? > 2) If so, how can such attacks be stopped? > 3) I'm also wondering why GET / might result in a 500 error? > > Thanks for any help. > > Gene > > >>>>>> The Log file: > 05:19:35 24.214.186.70 GET / 500 > 06:18:40 24.4.168.26 GET / 500 > 07:10:02 24.7.32.109 GET /scripts/root.exe 404 > 07:10:02 24.7.32.109 GET /MSADC/root.exe 404 > 07:10:02 24.7.32.109 GET /c/winnt/system32/cmd.exe 404 > 07:10:02 24.7.32.109 GET /d/winnt/system32/cmd.exe 404 > 07:10:03 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 > 07:10:03 24.7.32.109 GET > /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 500 > 07:10:03 24.7.32.109 GET > /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404 > 07:10:03 24.7.32.109 GET > /msadc/..%5c../..%5c../..%5c/..Á?../..Á?../..Á?../winnt/system32/cmd.exe > 404 > 07:10:05 24.7.32.109 GET /scripts/..Á?../winnt/system32/cmd.exe 500 > 07:10:05 24.7.32.109 GET /scripts/winnt/system32/cmd.exe 404 > 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 > 07:10:05 24.7.32.109 GET /winnt/system32/cmd.exe 404 > 07:10:06 24.7.32.109 GET /scripts/..%5c../winnt/system32/cmd.exe 500 
Other interesting topics
ASP.NET app permissions
Secure website (cookie/session) Passing User Credentials to site running under Integrated Security secure site - multiple users w/ 1 user account? Making unique URL - internal and external Anonymous access not working IIS 6 and % characters in a URL Your opinion on SSL and common URL to access site from internal and external IP address and domain name restrictions not available?. Application Identity |
|||||||||||||||||||||||
