cmd.exe /c+dir 1

[Jonax]

Hi all,
a friend of mine asked showed me his iis-logfile and asked me if I knew just what the **** was going on... I must admit I didn't, but I guess somebody does, so here goes:

His logfile is full of entries like these:

80 GET /winnt/system32/cmd.exe /c+dir 404 -
80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 -

(note: I've stripped the dates and the IPs)

Is this a hack-attempt? A Backdoor? A spider? The server itself?

I tried doing a reverse lookup on the client IP - but to no avail...

I'd realle appreciate any pointers on this, as I would like to help him restore his peace of mind

BTW: It's running on a terminal server...

TIA

Jonax

This is not a bug - it's an undocumented feature...
;-)

 

[Galrahn]

This is a Unicode File Transversal technique used to expoit IIS webservers that have not been properly patched. This technique was used by NIMDA and and other virus style web based scripts.

A patched system will reply with 404 or 500 errors in the logs, a response of 200 means you are vulnerable and the Unicode File Transversal has been executed successfully.

Unicode File Transversal and Double Unicode File Transversal techniques are common in kiddie scripts today, as they allow a hacker to use nothing more than a browser to exploit an unpatched system.

Example, the ..%5c.. represents ../.. because %5c is the hex value for /

Another common is ..%255c.. which is used for the Double Unicode File Transversal. It is broken down like this...

%25 = %
5 = 5
c = c

Which makes ..%255c.. = ..%5c.. which equals ../..

as you may already know, "../" from the command line is the same as moving down a level in your directory structure, so if you are the command line in C:\temp\temp and type "cd ../../" you will go directly to C:
The reason the double Unicode File Transversal works is because Microsoft's first patch to the vulnerablity only did a security check once, then allowed each subsequent hex value translate. Microsoft then released a new patch to fix this problem.

To answer your question, yes it is a hack attempt..., but more likely it was a script to determine if your vulnerable to the Unicode transveral techniques. So the request:

/scripts/..%5c../winnt/system32/cmd.exe /c+dir 500

was actually through a script or browser requested as:

http://www.yourwebsite.com/scripts/..\../winnt/system32/cmd.exe?/c+dir

? = execute
c+dir = same as a dir on the C:\ drive.

Enjoy.

More information can be found by searching google for "unicode file transversal" Most security web sites will give you much more information than I have.

Bottom line, stay current with Microsoft Security patches.

Galrahn
galrahn@galrahn.com

 

[napoleao]

When you see that in your access/error logs, that means that whoever was accessing your website, is infected with the code red virus.

Tell your friend to have his ISS fully patched.

 

[Galrahn]

Actually code red is different, code red exploited problems with index server. code red would like like:

GET

http://<ipaddress>/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN

NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%uc
bd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8
b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0

 

[Jonax]

Many thanks guys, I'll tell him to patch his IIS - I guess a simple visit to Windows Update should do the trick, right? This is not a bug - it's an undocumented feature...
;-)