Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: H C (keydet89YAHOO.COM)
Date: Fri Apr 27 2001 - 23:12:42 CDT
> This is for sure a hack attempt. The person is
> trying to traverse your
> directory structure to get to the root of your
> system , or anywhere for that
> matter, which can make it possible to gain
> privileged access to your
> webserver if the person really knows what they are
Pretty vague response. First off, from the logs files
provided (rather obviously doctored, so what else was
left out???) a couple of things were evident. The
"attacker" attempted to execute the 'dir' command...in
the cases that I've tested against, when a specific
directory or file argument isn't provided, the command
defaults to the current working directory.
Second, gaining privileged access is several steps
away. While it is true that they may eventually "gain
privileged access to your webserver if the person
really knows what they are doing", the response code
for the request bears investigation. Since the
original poster did not provide the headers of the log
file (which would indicate the values logged and their
order), we can assume that the "401" in the log file
entry below _is_ the response code. 400 and 500 level
response codes indicate a failure or error of some
sort. If the attempt had succeeded, a 200 response
code would have been returned, and all that the
"attacker" would have gained is a directory listing,
and the knowledge that your server is vulnerable.
However, it doesn't appear to be vulnerable.
From what the original poster provided, if this is the
only log entry, we can assume that this is some sort
of (possibly automated) attempt to determine if the
server was vulnerable to the exploit. Perhaps there
is a previous GET or HEAD request from the same IP.
However, the 'attacker' most likely recorded the 401
response code and moved on.
> Insert this command against your webserver in your
> web browser and see what
> results you get. It is a fairly new exploit against
> IIS 4 and 5 and is will
> not be fixed until SP7 for 4.0 and SP2 for 2000.
What are you talking about? Perhaps you should take a
closer look at not only the exploit, but what you are
typing, prior to hitting the "send" button. I hope
you're not putting misleading information such as this
into deliverables. According to a relevant Microsoft
the fix has been available since 17 Oct 2000, and
"will be included in" the SPs you listed.
See also http://www.securityfocus.com/bid/1806.
> you look on Microsoft's
> site there is a bulletin and a fix for this.
Yes, this is quite correct. However, it does directly
contradict your above statement of "It is a fairly new
exploit against IIS 4 and 5 and is will _not be fixed_
until SP7 for 4.0 and SP2 for 2000." I guess the
question a customer would have at this point is, if
there is a fix available, why are you saying that it
won't be fixed until the next SP?
> Jason Walters
> Information Security Engineer
> From: Boening, Christoph F.
> Sent: Friday, April 27, 2001 5:19 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: Possible hack?
> I found the following log entry in one of my server
> logs. Would anyone be
> able to tell me what exactly it means?
> xxx.x.xxx.40, -, 2/24/01, 19:17:27, W3SVC1,
> servername, xxx.xxx.xxx.xx,
> 3219, 64, 637, 401, 5, GET,
> /scripts/../../winnt/system32/cmd.exe, /c+dir,
> I appreciate your help.
Do You Yahoo!?
Yahoo! Auctions - buy the things you want at great prices