New Security hole?
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Web Servers reviews > IIS server support > IIS Server Security > New Security hole?




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    New Security hole?  
Kfir


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
04-28-04 11:34 AM

I may found a new security hole in IIS. Some of my=20
websites stopped responding on http, I checked the logs=20
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA???=18??????????????????????????????????
####??????????
 rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
 ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
 jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
 loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
 ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
 ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
 dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
 somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
 ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
 drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
 khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
 ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
 jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
 mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
 dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
 rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
 ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
 dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
 ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
 ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
 ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
 ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
 ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
 ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
 jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
 kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
 hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
 dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
 egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
 pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
 qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
 sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
 qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
 qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
 kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
 dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
 kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
 dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
 grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
 rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
 dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
 igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
 sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
 jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
 neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
 egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
 pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
 mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
 qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
 eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
 sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
 sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
 - 404 -

This is some kind of URL Request that after getting it a=20
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and=20
seems to be from machines with Windows98 (Trojan horse=20
maybe?)

I fixed it with installing URLSCAN tool on IIS which=20
automatically rejects these requests.

If anyone has information about it or has seen it too=20
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.




[ Post a follow-up to this message ]



    Re: New Security hole?  
Ken Schaefer


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
04-28-04 12:34 PM

Do you have MS04-011 installed on this machine?
http://www.microsoft.com/technet/se...n/MS04-011.mspx

Cheers
Ken

"Kfir" <kc@csgglobal.com> wrote in message
news:564701c42d07$6f5292c0$a101280a@phx.gbl...
I may found a new security hole in IIS. Some of my
websites stopped responding on http, I checked the logs
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA?????????????????????????????????????
####??????????
 rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
 ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
 jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
 loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
 ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
 ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
 dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
 somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
 ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
 drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
 khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
 ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
 jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
 mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
 dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
 rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
 ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
 dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
 ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
 ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
 ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
 ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
 ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
 ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
 jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
 kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
 hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
 dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
 egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
 pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
 qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
 sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
 qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
 qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
 kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
 dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
 kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
 dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
 grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
 rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
 dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
 igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
 sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
 jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
 neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
 egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
 pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
 mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
 qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
 eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
 sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
 sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
 - 404 -

This is some kind of URL Request that after getting it a
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and
seems to be from machines with Windows98 (Trojan horse
maybe?)

I fixed it with installing URLSCAN tool on IIS which
automatically rejects these requests.

If anyone has information about it or has seen it too
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.




[ Post a follow-up to this message ]



    Re: New Security hole?  
Karl Levinson [x y] mvp


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
04-28-04 12:34 PM

It looks like a scan for the old NTDLL.DLL vulnerability via WebDAV that was
fixed by the MS03-007 patch.  The resurgence of these scans now is probably
due to the Agobot / Gaobot / Polybot / Phatbot family of trojans.

URLScan and IIS Lockdown is a good bet, I would have wanted it on there
right from the start of the server's life.  I wouldn't recommend running an
IIS 5 or older server without it.


"Kfir" <kc@csgglobal.com> wrote in message
news:564701c42d07$6f5292c0$a101280a@phx.gbl...
I may found a new security hole in IIS. Some of my
websites stopped responding on http, I checked the logs
and found this:

SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAA
AAAAAAAAA?????????????????????????????????????
####??????????
 rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrlim
 ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpid
 jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdelid
 loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigss
 ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgpi
 ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjlo
 dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnrl
 somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgdddddddh
 ddddddssssddddolddddddddddddddhddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreson
 drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrjs
 khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhdddddddd
 ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfhi
 jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimjo
 mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhdddddddd
 dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddiq
 rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddmd
 ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhdddd
 dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgdddddd
 ddddedddddedddddddddedddddeddddddddddddd
eddddddddddddddddd
 ddddddddqdddddgldedddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddddddddmddddddd
eddddddddddddddddh
 ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgddd
 ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddrd
 ddddddddddddddddddedddddddqddddddddfdddd
ddgddddddddddddddd
 ddddddddddddddhdddddpddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 dddddddddddddddddddddddddddddddddddddddd
dddddddddddddddddd
 ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkigi
 jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsldf
 kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqgl
 hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdhd
 dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmiklir
 egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqme
 pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoieeo
 qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefidoj
 sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhpsr
 qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdjp
 qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihdsj
 kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfidk
 dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgiesg
 kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklfh
 dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsqo
 grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhplf
 rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmip
 dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogped
 igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiql
 sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplphp
 jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehld
 neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidgp
 egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqidn
 pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhkg
 mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnsspm
 qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqeq
 eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdlerj
 sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfeddg
 sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
 - 404 -

This is some kind of URL Request that after getting it a
few times IIS will stop responding on HTTP.

It came from different IP addresses in the world and
seems to be from machines with Windows98 (Trojan horse
maybe?)

I fixed it with installing URLSCAN tool on IIS which
automatically rejects these requests.

If anyone has information about it or has seen it too
please reply here.

Regards,

Kfir cohen -MCSE
Systems Manager.




[ Post a follow-up to this message ]



    Re: New Security hole?  
Kfir


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
04-28-04 12:34 PM

Yes I have but I can see on the logs after I installed=20
the URLSCAN that now it rejects these URL requests.

By the way all the requests come from win98 machines with=20
IE5.5, probably it's a new torjan horse that tries to get=20
into machines on port 80

Kfir

>-----Original Message-----
>Do you have MS04-011 installed on this machine?
>http://www.microsoft.com/technet/se.../Bulletin/MS04-
011.mspx
>
>Cheers
>Ken
>
>"Kfir" <kc@csgglobal.com> wrote in message
>news:564701c42d07$6f5292c0$a101280a@phx.gbl...
>I may found a new security hole in IIS. Some of my
>websites stopped responding on http, I checked the logs
>and found this:
>
>SEARCH / AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAA
A
>AAAAAAAAA???=18??????????????????????????????????
>####??????????
> rmomddddddisjhnegdddddddlohddplokdepnqlo
jldlloskjndiimrli
m
> ddddddrfsmlgrpehggpdidjlfrjikljijljljskg
khjlipkgkjjgloqpi
d
> jndjjndfididjlddddddhdigssejlgslsskhfmlo
sljnddlopjlgpdeli
d
> loilspiglgpddhidikssijdhidikssijdlillipd
khdmloqpggpdidigs
s
> ijdpssijedieijlohigploihflkldgqiiflokffd
dgsiggpmhmhenqdgp
i
> ggqodsoredgnqjkhdlpepodqdgqnhdrosegoeski
rkinloinfhdgqqjjl
o
> dpholoinepdgqqlodhlodgpinoirimpgrlhfssss
ssniekddkpeskmdnr
l
> somksqdsmlsrlndrrsprrdjdddgfdddddddddddd
hqinmddddgddddddd
h
> ddddddssssddddolddddddddddddddhddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddrldddddddreso
n
> drddohdmpqfeoldehppqfeihjljmkgfdkdkfjsjk
kfjejqfdjgjejrjrj
s
> khfdjfjifdkfkijrfdjmjrfdhhhsigfdjqjsjhji
frdqdqdnfhddddddd
d
> ddddddnigldipkreimjomhreimjomhreimjomhmn
hijkmhrgimjomhjfh
i
> jimhrgimjomhlrhjjemhrnimjomhlrhjjsmhrgim
jomhreimjnmhljimj
o
> mhjfiegjmhrlimjomhrkknjdmhrdimjomhifjmjg
jlreimjomhddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
idhiddddhpdedgddi
q
> rlegjeddddddddddddddddrddddsdedodekmqkdd
gdddddddedddddddm
d
> ddddndpnddddddndddddddqdddddddddhddddded
dddddddfdddddhddd
d
> dddddddddddhddddddddddddddddrddddddddhdd
dddddddddddgddddd
d
> ddddedddddedddddddddedddddeddddddddddddd
edddddddddddddddd
d
> ddddddddqdddddgldedddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> ddddddddddddddddddddddddddddddddmddddddd
edddddddddddddddd
h
> ddddddddddddddddddddddddddddldddddrddddd
ddddddddddddddgdd
d
> ddddndddddddfpdddddddhdddddddddddddddddd
ddddddddddhdddddr
d
> ddddddddddddddddddedddddddqddddddddfdddd
ddgdddddddddddddd
d
> ddddddddddddddhdddddpddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> dddddddddddddddddddddddddddddddddddddddd
ddddddddddddddddd
d
> ddddddddddddddddddddddddddsssseirlhdhddd
rldddddqoplipdkig
i
> jldhdednjlkhngefidojsfppjpemrpedgpklfmsd
iooosqhsfnsplgsld
f
> kidirmdmdefpdhddhpsrqskrpmpgmdlerpdldfef
lqhhfhddijiklogqg
l
> hehdsossompigpifrdjpqklgphdplqhpfhdljndd
iejhkkjgosqqigrdh
d
> dirhhdkdgpfrlogihdsjkkkskgdifkdhssqjmmom
diirsksmloehmikli
r
> egqsmrhpqlifeejhfidkdsldkmdihlonookksslg
plslhdlodhlioqgqm
e
> pkliirdkffkpmrehpqhhfmdpiokihkrhlegrkjse
pnidopsflpskgoiee
o
> qoqosssssseirlhdhdddrldddddqoplipdkigijl
dhdednjlkhngefido
j
> sfppjpemrpedgpklfmsdiooosqhsfnsplgsldfki
dirmdmdefpdhddhps
r
> qskrpmpgmdlerpdldfeflqhhfhddijiklogqglhe
hdsossompigpifrdj
p
> qklgphdplqhpfhdljnddiejhkkjgosqqigrdhddi
rhhdkdgpfrlogihds
j
> kkkskgdifkdhssqjmmomdiirsksmloehmiklireg
qsmrhpqlifeejhfid
k
> dsldkmdihlonookksslgplslhdlodhlihheilqlp
fhehohidjlqlkgies
g
> kfhlikfhdesrehligpqmrqkhokneepiffmfhlpqp
jlqnjdrskkqodpklf
h
> dkdeopisirlephpmqokksgsqjsddlgrpedjlsljp
ogqpggpdpkrmkknsq
o
> grgplmdkdldgdpsmegdhkdeeoooikkjgqeglfhsk
qleopddgkpphedhpl
f
> rmqrojjlpdefddjrheghkhkgmosssjngshnikokh
ghjndejnddjndffmi
p
> dldnofoeiljhdhlodsdgenkfreiorhdehsgdpfdl
ddjsnddejrjrfogpe
d
> igiikesgdfogimmlhesskqrkkrdslijpdqfpedrp
nesdnieekhempkdiq
l
> sromprkikoileknieddjesdjrproekoofkfkpsel
jhdddedlgpdhdplph
p
> jkhldlndmnehdskskkskesnllqdpldlofqpheqlo
eqpldilqdhhllqehl
d
> neklpkliqslhlfjqlmihjgkpgnfpksginegldrok
sorjdhdmsskhfoidg
p
> egsphhjrmiesgoonerokehdsepidedldffqmlqnq
soqsssqgnldgjqqid
n
> pphdeflipqlqoeejqjhsqdhdhlkdheeoioodrjng
hpkmqklgjkehekdhk
g
> mssqjqikiffkjlndfjghjjngqhqehqrlkrmqsods
lhjgqdienegjjnssp
m
> qhrmkjdqpspoelipoheldlereprrfedgejkoskef
fpdhfhkpjlmdjekqe
q
> eoqrpqlsilmrfqklngkdmggrdijlqdssqnqjdpil
ilieqgmqlolosdler
j
> sspgqldpleddqknolgsndgkkeqssfhmijeslqsqp
ipeheqnmedperfedd
g
> sfrodolojikqmdjsooeiperddpsdfoeodldslkmi
 - 404 -
>
>This is some kind of URL Request that after getting it a
>few times IIS will stop responding on HTTP.
>
>It came from different IP addresses in the world and
>seems to be from machines with Windows98 (Trojan horse
>maybe?)
>
>I fixed it with installing URLSCAN tool on IIS which
>automatically rejects these requests.
>
>If anyone has information about it or has seen it too
>please reply here.
>
>Regards,
>
>Kfir cohen -MCSE
>Systems Manager.
>
>
>
>
>.
>




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 06:12 AM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register