pokus o prunik
Dalibor Toman
dtoman na fortech.cz
Pátek Červenec 20 10:58:08 CEST 2001
> logy apache: access.log:
>
> 64.156.242.30 - - [19/Jul/2001:18:36:24 +0200] "GET
>
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNN
>
NNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%
>
u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=
a
to je pokus o naboreni MS IIS serveru. Apache by mel byt imuni. Zrovna
dneska prisel popis teto aktivity od Certu:
-------
CERT Advisory CA-2001-19 "Code Red" Worm Exploiting Buffer Overflow In
IIS
Indexing Service DLL
Original release date: July 19, 2001
Source: CERT/CC
A complete revision history can be found at the end of this file.
Systems Affected
Systems running Microsoft Windows NT 4.0 and Windows 2000 with IIS
4.0
or IIS 5.0 enabled
Overview
The CERT/CC has received reports of new self-propagating malicious
code that exploits certain configurations of Microsoft Windows
susceptible to the vulnerability described in CERT advisory
CA-2001-13
Buffer Overflow In IIS Indexing Service DLL. These reports indicate
that the "Code Red" worm may have already affected as many as
225,000
hosts, and continues to spread rapidly.
Description
In examples we have seen, the "Code Red" worm attack proceeds as
follows:
* The victim host is scanned for TCP port 80 by the "Code Red"
worm.
* The attacking host sends a crafted HTTP GET request to the
victim,
attempting to exploit a buffer overflow in the Indexing Service
described in CERT advisory CA-2001-13
* If the exploit is successful, the worm begins executing on the
victim host. Initially, the existence of the c:\notworm file is
checked. Should this file be found, the worm ceases execution.
* If c:\notworm is not found, the worm begins spawning threads to
scan seemingly random IP addresses for hosts listening on TCP
port
80, exploiting any vulnerable hosts it finds.
* If the victim host's default language is English, then after
100
scanning threads have started and a certain period of time has
elapsed following infection, all web pages served by the victim
host are defaced with the message
HELLO! Welcome to http://www.worm.com! Hacked By Chinese!
* If the victim host's default language is not English, the worm
will continue scanning but no defacement will occur.
System Footprint
The "Code Red" worm can be identified on victim machines by the
presence of the following string in IIS log files:
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%
u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531
b%u53ff%u0078%u0000%u00=a
---
D> Toman
Další informace o konferenci Linux