Date: Sat, 3 Feb 2001 17:56:13 -0600 (EST) From: rain forest puppy Subject: Re: Scan of the Month, February My response to the answers, for reference: 1. Windows NT 4, due to the big honking "Microsoft-IIS/4.0" banner in the host response. 2. This is known as a 'Unicode' attack. This is NOT the msdac attack. The directory /msdac/ is in the URL request, but that does not make it the msdac attack. Always be careful before jumping to conclusions :) 3. The attacker attempted (and succeeded) to execute files/executables outside the webroot by using a Unicode/UTF8-encoded directory traversal URL (the old '/../../' trick). In this case, they attemped to execute a copy of cmd.exe, particularly running the dir command. 4. By encoding the '/' character in UTF8 (which results in the 2 byte value 0xc0af), IIS fails it's safety check to properly canocalize the URL, leaving the UTF8 characters in the filename. However, when IIS passes the filename to the underlying OS, the OS interprets the UTF8 characters, and therefore serves up a different file than IIS was expecting. NOTE: Max Vision's ArachNIDS database also has a detailed writeup of this signature, located at http://www.whitehats.com/info/IDS452 Also, the version of snort being used to capture these images was using the http_decode preprocessor. That means it processes the '../' attempt. That is why when you look at the decode of the attack, you do not see the %c0%af in the ASCII text portion. It has already been decoded, you have to read it in the Hex part of the packet. 2E 2F 2E 2E C0 AF 2E 2E 2F 2E 2E C0 AF 2E 2E 2F ./....../....../ ^^ ^^ ^^ ^^ One interesting note is that it appears the attacker exploited the server using a standard web browser (IE 5.01 on Win 95), due to the inclusion of many typical browser client headers (cookie, accept-encoding, accept-language, accept). Looking at the Accept: header, we see that the user has MS Office installed (due to the presence of the application/vnd.ms-excel, application/msword, and aplication/vnd.ms-powerpoint mime types). - rfp