Re: Security ?'s Concerning Log File
From: Alessandro Perilli (peris_at_tiscali.it)
Date: 06/05/03
- Next message: Gary Seven: "Re: HTTP/1.1 400 Bad Request From anything but IE/PC"
- Previous message: Dolemite: "Re: IIS logging of authorization failures?"
- In reply to: Shawn: "Security ?'s Concerning Log File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 5 Jun 2003 21:06:33 +0200
On Thu, 5 Jun 2003 10:24:48 -0700, Shawn wrote:
> Can anyone tell me what the following does and if
> information is actually being gathered from my server....
>
> Thanks,
>
> Shawn
Shawn,
this seems a tipical log appearing when a cracker (a lamer in this
case...), using a network vulnerabilities scanner, or a worm (NIMDA in
particular) are trying to exploiting a well known IIS vulnerability: so
called "directory traversal" by using Unicode characters inside requested
URL (popularly called "Unicode attack").
These papers should give you enough details:
http://www.hackersnews.org/tools/1130_MicrosoftIISUnicodeExploitExplained.d
oc
http://www.ists.dartmouth.edu/IRIA/knowledge_base/iria_technical_reports/ir
ia_tr_2001_01_full.htm
I'm quite sure it's a Nimda scan cause root.exe is requested as first URL
(after default.htm). Here a deep Nimda analysis to compare with your log:
http://aris.securityfocus.com/alerts/nimda/010921-Analysis-Nimda-v2.pdf
Your server seems patched since no 200 responses appear for every attacking
URL.
-- Alessandro Perilli Security Consultant / Trainer MCT - MCSE 2000 - LINUX+ CCSI - CCSE 2000 - CCSE+ NG CCNA - CIWP - CIWSA - CCA XP SECURITY+
- Next message: Gary Seven: "Re: HTTP/1.1 400 Bad Request From anything but IE/PC"
- Previous message: Dolemite: "Re: IIS logging of authorization failures?"
- In reply to: Shawn: "Security ?'s Concerning Log File"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
