Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Sean McHugh (Sean.McHughEPIC.SUNGARD.COM)
Date: Fri Mar 23 2001 - 10:17:05 CST
actually, b/c what others who know more than i do feel
about the NT implementation of STDOUT, some of the system
cli tools return screwy headers (or none at all ?) when
run over a web interface. While dir and lots of others work
fine, i have noticed that others will return with some of the
data chewed off and some not at all. cmd.exe seems to always
return for a dir, an echo, a tpye cmd, but still gives a 502
error although you are getting data back to your browser.
From: Chris Huseman [mailto:ChrisHA-T-G.COM]
Sent: Wednesday, March 21, 2001 5:53 PM
Subject: Re: One of our sites had problem yesterday afternoon...
The above three entries look like 502 response codes
were returned for the requested files. This would
mean that the request did not succeed...correct?
> ->00:04:24 18.104.22.168 GET /scripts/E.asp 200
> ->00:04:26 22.214.171.124 GET
> /scripts/../../winnt/system32/attrib.exe 502
> ->00:04:30 126.96.36.199 GET
> /scripts/../../winnt/system32/cmd.exe 502
Oddly enough...the request for E.asp did succeed, but
subsequest requests for the other files failed. I
don't know about a default install of IIS, but is
E.asp included? If not, it must have been placed on
the system prior to these log excerpts.
> ->I have two questions
> ->1) What are they doing with the first line
I'd say the cmd.exe file.
> ->2) How can I look at my logs and identify what
> ->was exploited.
Well...you'd want 200 response codes in most cases.
The older *.idc request technically succeeded if a 403
was returned...the physical path was part of the error
message. In the case of the log files you provided,
it looks as though most of the GET requests
failed...though it is very odd that one request for
cmd.exe would succeed, but a subsequent one would
This really isn't odd.. whats important with the cmd.exe request is the
querystring (thats the dangerous part), which doesn't appear in these logs.
For example, I hit:
The log says:
22:37:44 127.0.0.1 GET /scripts/../../../../../../winnt/system32/cmd.exe 200
But when I hit:
(foo is an unknown file)
I get this in the log:
22:38:48 127.0.0.1 GET /scripts/../../../../../../winnt/system32/cmd.exe 502
I have seen on some IIS installations a 502 error with every 'cmd.exe /c'
request because it really doesn't send a proper HTTP header, which is what
the 502 is for (IIRC).. so I wouldn't try to guess which of the 502's were
successful and which weren't.
I'd also guess that the first 200 request was something like a cmd.exe /c
dir c:\ request.. not just a request for the cmd.exe file, but something
that would tell the would-be attacker that the box is vulnerable.