Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other
Author Message
sixonetonoffun
Spouse Contemplates Divorce



Joined: Jan 02, 2003
Posts: 2496

PostPosted: Tue Jun 29, 2004 8:52 pm Reply with quote

If you see a entry like this in your logs:
299.*.*.* - - [06/Jun/2004:10:39:23 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
That goes on and on and on!

This is appearently the IIS WebDAV exploit.
Affected Software:
• Microsoft Windows NT 4.0
• Microsoft Windows NT 4.0 Terminal Server Edition
• Microsoft Windows 2000
• Microsoft Windows XP

Not Affected Software:
• Microsoft Windows Server 2003
• *NIX OS's
MS patches available: [ Only registered users can see links on this board! Get registered or login! ]


Source of details found here: [ Only registered users can see links on this board! Get registered or login! ] [ Only registered users can see links on this board! Get registered or login! ]

One interesting way (for apache users) suggested to rid yourself of those entries in your logs was to add something like this to your httpd.conf assumes mod_rewrite enabled. Replace [ Only registered users can see links on this board! Get registered or login! ] with where ever you'd like to send these requests.

Code:


<IfModule mod_rewrite.c>
RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com
RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com
</IfModule>


We could also do this in htaccess but whats the point?

I posted this because this has come up a few times here either in the chat or the forums.
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088

PostPosted: Wed Jun 30, 2004 4:48 am Reply with quote

I have tried to trap that fool thing in .htaccess using a regex but haven't been able to find the magic to do it Mad Potentially dDosing MS is an interesting approach Laughing but I want to figure out the .htaccess trap and work it into Sentinel RavensScripts
 
View user's profile Send private message
sixonetonoffun







PostPosted: Wed Jun 30, 2004 10:26 am Reply with quote

Something like this maybe? Seems like a lot of code just to catch this one bugger.
$_SEARCH = $GLOBALS['HTTP_POST_VARS']['SEARCH'] ||
$_SERVER['SEARCH'] ||
$HTTP_GET_VARS['SEARCH'] ||
$_SEARCH;
$querystring = urldecode($querystring);
if(isset($_SEARCH) && stristr($querystring,'x90') OR stristr($querystring,'xb1')) {
if($ab_config['activate_filters'] > 1) {
block_ip($ip, $banuser, $agent, $bantime, $reason, $ab_config['activate_filters']);
} else {
write_mail($remote, $banuser, $bantime, $reason);
Header("Location: index.php");
}
}
 
Raven







PostPosted: Wed Jun 30, 2004 10:42 am Reply with quote

A regex or preg_match will make it much simpler. I just haven't had time to get back on it Smile
 
xfsunolesphp
Regular
Regular



Joined: Aug 23, 2003
Posts: 77

PostPosted: Wed Jun 30, 2004 4:12 pm Reply with quote

Raven wrote:
I have tried to trap that fool thing in .htaccess using a regex but haven't been able to find the magic to do it Mad Potentially dDosing MS is an interesting approach Laughing but I want to figure out the .htaccess trap and work it into Sentinel RavensScripts


i love it, Dos Microsoft. Laughing
 
View user's profile Send private message
stephen2417
Worker
Worker



Joined: Jan 18, 2004
Posts: 244
Location: Bristolville, OH

PostPosted: Wed Jun 30, 2004 4:16 pm Reply with quote

Heres another solution [ Only registered users can see links on this board! Get registered or login! ] Laughing

EDIT: The apache 2.xx just had a DoS hole that was patched i herd.
 
View user's profile Send private message Visit poster's website
xfsunolesphp







PostPosted: Wed Jun 30, 2004 4:24 pm Reply with quote

use redirect, if any1 try to expolit straight to Microsoft.
 
sixonetonoffun







PostPosted: Wed Jun 30, 2004 8:13 pm Reply with quote

This is fast and kills 2 like birds I know the TRACE is an old exploit but worth inclusion. I think CURL and LADP might use the SEARCH method but thats got to be about it for legitimate uses of it.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
RewriteCond %{REQUEST_METHOD} ^SEARCH [NC]
RewriteRule ^.* - [F,L]
 
xfsunolesphp







PostPosted: Wed Jun 30, 2004 8:21 pm Reply with quote

is there use Redirect in there to point microsoft.com Laughing
 
sixonetonoffun







PostPosted: Wed Jun 30, 2004 8:44 pm Reply with quote

ROFLMAO! No
Change the rewrite rule to
RewriteRule ^.*$ /www.microsoft.com [L]
But don't tell em I had anything to do with it! Bang Head
 
xfsunolesphp







PostPosted: Wed Jun 30, 2004 8:51 pm Reply with quote

nobody knows it there, do you love it? Wink
 
Raven







PostPosted: Wed Jun 30, 2004 8:53 pm Reply with quote

Except that you keep advertizing it Rolling Eyes
 
sixonetonoffun







PostPosted: Fri Jul 02, 2004 10:36 am Reply with quote

Hate to bump this thread but I was thinking about this and I think I came up with the simplest solution for Apache users. This should get rid of the huge entries in the Apache logs caused by this WebDav exploit attempt.

Just add this to the htaccess file:
<LimitExcept GET PUT POST>
Require valid-user
</LimitExcept>
or
<LimitExcept GET PUT POST>
deny from all
</LimitExcept>

Which should disallow all request methods except GET PUT POST. My testing with HEAD and TRACE seemed less successful so I'm thinking they are excluded from the LimitExcept directive by default possibly?

This is just a little twist on the Limit clause many of us use.
<Limit GET PUT POST>
Order Allow,Deny
Allow from all
</Limit>
 
stephen2417







PostPosted: Fri Jul 02, 2004 5:19 pm Reply with quote

Ok YIKES... Shocked Im freakin out now, i frogot to do this last night and i wake up to find someone tried it 9 times on me!!!

Same IP and the weirdest thing the IP is comming from the same ISP i have and the same server that my IP comes out of... This could be someone down my freakn road attacking me!!!!!

Im just a little annoyed thats all!!!!!!!!!

Should i report their IP to my ISP?
 
Muffin
Client



Joined: Apr 10, 2004
Posts: 649
Location: UK

PostPosted: Fri Jul 02, 2004 5:30 pm Reply with quote

You sure it's not you? rofl
 
View user's profile Send private message
stephen2417







PostPosted: Fri Jul 02, 2004 5:33 pm Reply with quote

No i checked that Laughing

And just got attacked with this..
Code:


69.136.173.232 - - [02/Jul/2004:18:04:19 -0400] "GET /default.ida?
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%
ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%
u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0"
404 205


All im tryin to do is run a lil website out of my house and i get attacked!
 
xfsunolesphp







PostPosted: Fri Jul 02, 2004 5:36 pm Reply with quote

it appear 404 mean File Not found.
 
Raven







PostPosted: Fri Jul 02, 2004 5:39 pm Reply with quote

That is ida which only affected microsoft servers and is about 3 years old. Hardly think you have to worry. Look up ida on google.
 
xfsunolesphp







PostPosted: Fri Jul 02, 2004 5:40 pm Reply with quote

why people use IIS Expolit in apache server? Bang Head
 
stephen2417







PostPosted: Fri Jul 02, 2004 5:40 pm Reply with quote

Im soo glad i like Apache!!!
 
stephen2417







PostPosted: Mon Jul 05, 2004 9:51 pm Reply with quote

Six, How can we tell that this is getting forwarded to MS by looking at the logs.

BC i got attacked a lot today and just wanted to make sure its working right.
 
sixonetonoffun







PostPosted: Mon Jul 05, 2004 10:16 pm Reply with quote

Hmn, good question. I don't know of a browser that lets you change the request method to Search. Sam Spade lets you use delete,options,get,trace and head I think.
 
stephen2417







PostPosted: Tue Jul 06, 2004 12:54 am Reply with quote

Im sure theres some kinda nasty firefox extension that can do the job.. Ill look arround.. Hell someone made a proxy switcher Twisted Evil
 
stephen2417







PostPosted: Wed Jul 07, 2004 6:07 am Reply with quote

Ok im just a bit scared.. I keep getting attacked by local IP addresses. So far all comming from Ohio, and near by!!!! Oh and their all comming from Earthlink, that would be my ISP!!!!!!!!!!!!

I don think i need to call the cops yet, yet that is. Maybe i need a body gaurd or something Mr. Green
 
sixonetonoffun







PostPosted: Wed Jul 07, 2004 8:47 am Reply with quote

If its like the other IDA there are probably just a bunch of nimda infected IIS servers in your IP range. Not much ya can do about it really. Just make sure your patched up to date.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - Other

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©