IIS Server Security - New Security hole?

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > April 2004 > New Security hole?





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author New Security hole?
Kfir

2004-04-28, 6:34 am

I may found a new security hole in IIS. Some of my=20
websites stopped responding on http, I checked the logs=20
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA???=18??????????????????????????????????
####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
- 404 -

This is some kind of URL Request that after getting it a=20
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and=20
seems to be from machines with Windows98 (Trojan horse=20
maybe?)

I fixed it with installing URLSCAN tool on IIS which=20
automatically rejects these requests.

If anyone has information about it or has seen it too=20
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.



Ken Schaefer

2004-04-28, 7:34 am

Do you have MS04-011 installed on this machine?
http://www.microsoft.com/technet/se...n/MS04-011.mspx

Cheers
Ken

"Kfir" <kc@csgglobal.com> wrote in message
news:564701c42d07$6f5292c0$a101280a@phx.gbl...
I may found a new security hole in IIS. Some of my
websites stopped responding on http, I checked the logs
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA?????????????????????????????????????
####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
- 404 -

This is some kind of URL Request that after getting it a
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and
seems to be from machines with Windows98 (Trojan horse
maybe?)

I fixed it with installing URLSCAN tool on IIS which
automatically rejects these requests.

If anyone has information about it or has seen it too
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.




Karl Levinson [x y] mvp

2004-04-28, 7:34 am

It looks like a scan for the old NTDLL.DLL vulnerability via WebDAV that was
fixed by the MS03-007 patch. The resurgence of these scans now is probably
due to the Agobot / Gaobot / Polybot / Phatbot family of trojans.

URLScan and IIS Lockdown is a good bet, I would have wanted it on there
right from the start of the server's life. I wouldn't recommend running an
IIS 5 or older server without it.


"Kfir" <kc@csgglobal.com> wrote in message
news:564701c42d07$6f5292c0$a101280a@phx.gbl...
I may found a new security hole in IIS. Some of my
websites stopped responding on http, I checked the logs
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA?????????????????????????????????????
####??????????
rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
- 404 -

This is some kind of URL Request that after getting it a
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and
seems to be from machines with Windows98 (Trojan horse
maybe?)

I fixed it with installing URLSCAN tool on IIS which
automatically rejects these requests.

If anyone has information about it or has seen it too
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.




Kfir

2004-04-28, 7:34 am

Yes I have but I can see on the logs after I installed=20
the URLSCAN that now it rejects these URL requests.

By the way all the requests come from win98 machines with=20
IE5.5, probably it's a new torjan horse that tries to get=20
into machines on port 80

Kfir

>-----Original Message-----
>Do you have MS04-011 installed on this machine?
>http://www.microsoft.com/technet/se.../Bulletin/MS04-
011.mspx
>
>Cheers
>Ken
>
>"Kfir" <kc@csgglobal.com> wrote in message
>news:564701c42d07$6f5292c0$a101280a@phx.gbl...
>I may found a new security hole in IIS. Some of my
>websites stopped responding on http, I checked the logs
>and found this:
>
>SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
>AAAAAAAAA???=18??????????????????????????????????
>####??????????
> rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrli
m
> ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpi
d
> jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdeli
d
> loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigs
s
> ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgp
i
> ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjl
o
> dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnr
l
> somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgddddddd
h
> ddddddssssddddolddddddddddddddhddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreso
n
> drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrj
s
> khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhddddddd
d
> ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfh
i
> jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimj
o
> mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddi
q
> rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddm
d
> ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhddd
d
> dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgddddd
d
> ddddedddddedddddddddedddddeddddddddddddd
edddddddddddddddd
d
> ddddddddqdddddgldedddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> ddddddddddddddddddddddddddddddddmddddddd
edddddddddddddddd
h
> ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgdd
d
> ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddr
d
> ddddddddddddddddddedddddddqddddddddfdddd
ddgdddddddddddddd
d
> ddddddddddddddhdddddpddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkig
i
> jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsld
f
> kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqg
l
> hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdh
d
> dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmikli
r
> egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqm
e
> pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoiee
o
> qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefido
j
> sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhps
r
> qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdj
p
> qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihds
j
> kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfid
k
> dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgies
g
> kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklf
h
> dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsq
o
> grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhpl
f
> rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmi
p
> dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogpe
d
> igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiq
l
> sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplph
p
> jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehl
d
> neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidg
p
> egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqid
n
> pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhk
g
> mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnssp
m
> qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqe
q
> eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdler
j
> sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfedd
g
> sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
- 404 -
>
>This is some kind of URL Request that after getting it a
>few times IIS will stop responding on HTTP.
>
>It came from different IP addresses in the world and
>seems to be from machines with Windows98 (Trojan horse
>maybe?)
>
>I fixed it with installing URLSCAN tool on IIS which
>automatically rejects these requests.
>
>If anyone has information about it or has seen it too
>please reply here.
>
>Regards,
>
>Kfir cohen -MCSE
>Systems Manager.
>
>
>
>
>.
>
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com