pokus o prunik

Dalibor Toman dtoman na fortech.cz
Pátek Červenec 20 10:58:08 CEST 2001 

> logy apache: access.log:
>
> 64.156.242.30 - - [19/Jul/2001:18:36:24 +0200] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%
>
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
a

to je pokus o naboreni MS IIS serveru. Apache by mel byt imuni. Zrovna
dneska prisel popis teto aktivity od Certu:

-------

CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In
IIS
Indexing Service DLL

   Original release date: July 19, 2001
   Source: CERT/CC

   A complete revision history can be found at the end of this file.

Systems Affected

   Systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS
4.0
   or IIS 5.0 enabled

Overview

   The CERT/CC has received reports of new self-propagating malicious
   code that exploits certain configurations of Microsoft Windows
   susceptible to the vulnerability described in CERT advisory
CA-2001-13
   Buffer Overflow In IIS Indexing Service DLL. These reports indicate
   that the "Code Red" worm may have already affected as many as
225,000
   hosts, and continues to spread rapidly.

Description

   In examples we have seen, the "Code Red" worm attack proceeds as
   follows:
     * The victim host is scanned for TCP port 80 by the "Code Red"
worm.
     * The attacking host sends a crafted HTTP GET request to the
victim,
       attempting to exploit a buffer overflow in the Indexing Service
       described in CERT advisory CA-2001-13
     * If the exploit is successful, the worm begins executing on the
       victim host. Initially, the existence of the c:\notworm file is
       checked. Should this file be found, the worm ceases execution.
     * If c:\notworm is not found, the worm begins spawning threads to
       scan seemingly random IP addresses for hosts listening on TCP
port
       80, exploiting any vulnerable hosts it finds.
     * If the victim host's default language is English, then after
100
       scanning threads have started and a certain period of time has
       elapsed following infection, all web pages served by the victim
       host are defaced with the message

         HELLO! Welcome to http://www.worm.com! Hacked By Chinese!

     * If the victim host's default language is not English, the worm
       will continue scanning but no defacement will occur.

System Footprint

   The "Code Red" worm can be identified on victim machines by the
   presence of the following string in IIS log files:

/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a

---


D> Toman

Další informace o konferenci Linux