Solved

URGENT weird url to my site

Posted on 2001-07-19
21
208 Views
Last Modified: 2008-02-01
I have a custom 404 page that gathers information when someone accesses a url that does not exist. Here is what it gathered. Please look at the first few lines. I'm not sure what someone is attempting to do?


404 error generated:
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
ALL_HTTP HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* HTTP_ACCEPT_LANGUAGE:en-us HTTP_HOST:my ip address:81 HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) HTTP_ACCEPT_ENCODING:gzip, deflate
ALL_RAW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* Accept-Language: en-us Host: my ip address:81 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) Accept-Encoding: gzip, deflate
APPL_MD_PATH /LM/W3SVC/1/Root/myDomain.com/www
APPL_PHYSICAL_PATH E:\virtualhosts\myDomain.com\www\
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR my ip address
LOGON_USER
PATH_INFO /myDomain.com/www/tech/errors/404notfound.asp
PATH_TRANSLATED E:\virtualhosts\myDomain.com\www\tech\errors\404notfound.asp
QUERY_STRING unfoundURL=http://my ip address/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
REMOTE_ADDR my ip address
REMOTE_HOST my ip address
REMOTE_USER
REQUEST_METHOD GET
SCRIPT_NAME /myDomain.com/www/tech/errors/404notfound.asp
SERVER_NAME my ip address
SERVER_PORT 81
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.0
SERVER_SOFTWARE Microsoft-IIS/4.0
URL /myDomain.com/www/tech/errors/404notfound.asp
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */*
HTTP_ACCEPT_LANGUAGE en-us
HTTP_HOST my ip address:81
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107)
HTTP_ACCEPT_ENCODING gzip, deflate
0
Comment
Question by:itDepartment
  • 7
  • 6
  • 3
  • +4
21 Comments
 
LVL 7

Accepted Solution

by:
John844 earned 200 total points
Comment Utility
they are trying to look at the contents of your C drive.
0
 
LVL 7

Expert Comment

by:John844
Comment Utility
REMOTE_ADDR my ip address
REMOTE_HOST my ip address

someone using your ip address like from your machine or a machine on your network
0
 
LVL 7

Expert Comment

by:John844
Comment Utility
the values in the query string like %c0 and others with the % sign are characters that are encoded to be passed through the query string.  The user did not type these usually.  to find out what character they are find the what value c0 is in hex then find out what character has this ascii value.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
has this method worked in the past? I tried it myself on my intranet server and it does not do anything except gig me a 404.
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
they are trying to use the latest IIS5 hole.. stop the print service on the web server.. tomorrow I'll past the full documentation of this hole or patch to SP2 if you have win2k.. and yes they are trying to list the system dir.. check from which ip the request generated and restrict it from IIS (as a preventive measure) or trace it..
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
the machine is NT 4 IIS 4
0
 
LVL 11

Expert Comment

by:thunderchicken
Comment Utility
Someone wrote this script on your page

<%
dim item
for each item in request.servervariables
  response.write item & ":" & request.servervariables(item)&"<br>"
next
%>

Goto your Internet Manager and see if this script is in your 404 error default page.

Thats my thoughts on that.  Sounds like a sucky situation.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
I wrote that script. The 404 page is run every time someone requests a page that is not on the server. It collects all server variables and the URL that the user is requesting. It then emails it to me. Thats were I got the info from.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
Our concern is because someone attempted to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
 
the url looks like it maybe malicious
0
 
LVL 11

Expert Comment

by:thunderchicken
Comment Utility
Have you tried resetting the 404 page through internet services manager?  Maybe see what's in it?
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
We created the custom 404 page to inform us when a user attempts to access a page that does not exist. What happened is someone tried to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
on my server. My server recognized that it could not be found and redirected to my custom 404 page were it gathered the above information about the user and the unfound URL and then emailed it to us.

p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
LVL 5

Expert Comment

by:dgorin
Comment Utility
Check out your server log files, you'll probably see lots of these kind of hack attempts.  As long as the response is 404, nothing bad happened.  There are a lot of break-in attempts going on these days.

This particular attempt would, if your server was misconfigured, allow the hacker to open the command program (the same program that opens a dos window in NT and 2K).  If successful, nothing good would follow.
0
 
LVL 2

Expert Comment

by:Fenatu
Comment Utility
That's called an Extended Unicode directory transversal
vulnerability.

See this for more info:
http://www.securityfocus.com/vdb/bottom.html?vid=1806
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
IIS4 is vulnerable too for that if not patched to the latest SP..
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
and if you've set read permisssions for everyone in the system directory..
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
What should the permissions be on the system directory or any other directory for that matter.
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
The default set permissions upon NT installation.. As a rule of thumb don't ever give everyone Permissions on directories on web servers and on shared directories on other servers..If NT is Administrated correctly it has a powerful security.. the leak in NT security is good administrators.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
Comment Utility
Ann articles online on excactly how to set the permissions
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
hmm.. search msdn on microsoft's site..
0
 

Author Comment

by:itDepartment
Comment Utility
After further investigation w/ my host we found the someone was trying to compromise the entire network. No harm was done and I believe the individual was even identified. Thanks to everyone who helped.
0
 
LVL 20

Expert Comment

by:Silvers5
Comment Utility
Hang the bastard :o)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I have helped a lot of people on EE with their coding sources and have enjoyed near about every minute of it. Sometimes it can get a little tedious but it is always a challenge and the one thing that I always say is:  The Exchange of information …
Hello, all! I just recently started using Microsoft's IIS 7.5 within Windows 7, as I just downloaded and installed the 90 day trial of Windows 7. (Got to love Microsoft for allowing 90 days) The main reason for downloading and testing Windows 7 is t…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now