URGENT weird url to my site

I have a custom 404 page that gathers information when someone accesses a url that does not exist. Here is what it gathered. Please look at the first few lines. I'm not sure what someone is attempting to do?


404 error generated:
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
ALL_HTTP HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* HTTP_ACCEPT_LANGUAGE:en-us HTTP_HOST:my ip address:81 HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) HTTP_ACCEPT_ENCODING:gzip, deflate
ALL_RAW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* Accept-Language: en-us Host: my ip address:81 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) Accept-Encoding: gzip, deflate
APPL_MD_PATH /LM/W3SVC/1/Root/myDomain.com/www
APPL_PHYSICAL_PATH E:\virtualhosts\myDomain.com\www\
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR my ip address
LOGON_USER
PATH_INFO /myDomain.com/www/tech/errors/404notfound.asp
PATH_TRANSLATED E:\virtualhosts\myDomain.com\www\tech\errors\404notfound.asp
QUERY_STRING unfoundURL=http://my ip address/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
REMOTE_ADDR my ip address
REMOTE_HOST my ip address
REMOTE_USER
REQUEST_METHOD GET
SCRIPT_NAME /myDomain.com/www/tech/errors/404notfound.asp
SERVER_NAME my ip address
SERVER_PORT 81
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.0
SERVER_SOFTWARE Microsoft-IIS/4.0
URL /myDomain.com/www/tech/errors/404notfound.asp
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */*
HTTP_ACCEPT_LANGUAGE en-us
HTTP_HOST my ip address:81
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107)
HTTP_ACCEPT_ENCODING gzip, deflate
itDepartmentAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
John844Connect With a Mentor Commented:
they are trying to look at the contents of your C drive.
0
 
John844Commented:
REMOTE_ADDR my ip address
REMOTE_HOST my ip address

someone using your ip address like from your machine or a machine on your network
0
 
John844Commented:
the values in the query string like %c0 and others with the % sign are characters that are encoded to be passed through the query string.  The user did not type these usually.  to find out what character they are find the what value c0 is in hex then find out what character has this ascii value.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
CUTTHEMUSICCommented:
has this method worked in the past? I tried it myself on my intranet server and it does not do anything except gig me a 404.
0
 
Michel SakrCommented:
they are trying to use the latest IIS5 hole.. stop the print service on the web server.. tomorrow I'll past the full documentation of this hole or patch to SP2 if you have win2k.. and yes they are trying to list the system dir.. check from which ip the request generated and restrict it from IIS (as a preventive measure) or trace it..
0
 
CUTTHEMUSICCommented:
the machine is NT 4 IIS 4
0
 
thunderchickenCommented:
Someone wrote this script on your page

<%
dim item
for each item in request.servervariables
  response.write item & ":" & request.servervariables(item)&"<br>"
next
%>

Goto your Internet Manager and see if this script is in your 404 error default page.

Thats my thoughts on that.  Sounds like a sucky situation.
0
 
CUTTHEMUSICCommented:
I wrote that script. The 404 page is run every time someone requests a page that is not on the server. It collects all server variables and the URL that the user is requesting. It then emails it to me. Thats were I got the info from.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
CUTTHEMUSICCommented:
Our concern is because someone attempted to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
 
the url looks like it maybe malicious
0
 
thunderchickenCommented:
Have you tried resetting the 404 page through internet services manager?  Maybe see what's in it?
0
 
CUTTHEMUSICCommented:
We created the custom 404 page to inform us when a user attempts to access a page that does not exist. What happened is someone tried to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
on my server. My server recognized that it could not be found and redirected to my custom 404 page were it gathered the above information about the user and the unfound URL and then emailed it to us.

p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
dgorinCommented:
Check out your server log files, you'll probably see lots of these kind of hack attempts.  As long as the response is 404, nothing bad happened.  There are a lot of break-in attempts going on these days.

This particular attempt would, if your server was misconfigured, allow the hacker to open the command program (the same program that opens a dos window in NT and 2K).  If successful, nothing good would follow.
0
 
FenatuCommented:
That's called an Extended Unicode directory transversal
vulnerability.

See this for more info:
http://www.securityfocus.com/vdb/bottom.html?vid=1806
0
 
Michel SakrCommented:
IIS4 is vulnerable too for that if not patched to the latest SP..
0
 
Michel SakrCommented:
and if you've set read permisssions for everyone in the system directory..
0
 
CUTTHEMUSICCommented:
What should the permissions be on the system directory or any other directory for that matter.
0
 
Michel SakrCommented:
The default set permissions upon NT installation.. As a rule of thumb don't ever give everyone Permissions on directories on web servers and on shared directories on other servers..If NT is Administrated correctly it has a powerful security.. the leak in NT security is good administrators.
0
 
CUTTHEMUSICCommented:
Ann articles online on excactly how to set the permissions
0
 
Michel SakrCommented:
hmm.. search msdn on microsoft's site..
0
 
itDepartmentAuthor Commented:
After further investigation w/ my host we found the someone was trying to compromise the entire network. No harm was done and I believe the individual was even identified. Thanks to everyone who helped.
0
 
Michel SakrCommented:
Hang the bastard :o)
0
All Courses

From novice to tech pro — start learning today.