Solved

URGENT weird url to my site

Posted on 2001-07-19
21
209 Views
Last Modified: 2008-02-01
I have a custom 404 page that gathers information when someone accesses a url that does not exist. Here is what it gathered. Please look at the first few lines. I'm not sure what someone is attempting to do?


404 error generated:
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
ALL_HTTP HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* HTTP_ACCEPT_LANGUAGE:en-us HTTP_HOST:my ip address:81 HTTP_USER_AGENT:Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) HTTP_ACCEPT_ENCODING:gzip, deflate
ALL_RAW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */* Accept-Language: en-us Host: my ip address:81 User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107) Accept-Encoding: gzip, deflate
APPL_MD_PATH /LM/W3SVC/1/Root/myDomain.com/www
APPL_PHYSICAL_PATH E:\virtualhosts\myDomain.com\www\
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR my ip address
LOGON_USER
PATH_INFO /myDomain.com/www/tech/errors/404notfound.asp
PATH_TRANSLATED E:\virtualhosts\myDomain.com\www\tech\errors\404notfound.asp
QUERY_STRING unfoundURL=http://my ip address/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:
REMOTE_ADDR my ip address
REMOTE_HOST my ip address
REMOTE_USER
REQUEST_METHOD GET
SCRIPT_NAME /myDomain.com/www/tech/errors/404notfound.asp
SERVER_NAME my ip address
SERVER_PORT 81
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.0
SERVER_SOFTWARE Microsoft-IIS/4.0
URL /myDomain.com/www/tech/errors/404notfound.asp
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-launch, */*
HTTP_ACCEPT_LANGUAGE en-us
HTTP_HOST my ip address:81
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107)
HTTP_ACCEPT_ENCODING gzip, deflate
0
Comment
Question by:itDepartment
  • 7
  • 6
  • 3
  • +4
21 Comments
 
LVL 7

Accepted Solution

by:
John844 earned 200 total points
ID: 6299454
they are trying to look at the contents of your C drive.
0
 
LVL 7

Expert Comment

by:John844
ID: 6299464
REMOTE_ADDR my ip address
REMOTE_HOST my ip address

someone using your ip address like from your machine or a machine on your network
0
 
LVL 7

Expert Comment

by:John844
ID: 6299471
the values in the query string like %c0 and others with the % sign are characters that are encoded to be passed through the query string.  The user did not type these usually.  to find out what character they are find the what value c0 is in hex then find out what character has this ascii value.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6299533
has this method worked in the past? I tried it myself on my intranet server and it does not do anything except gig me a 404.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6299698
they are trying to use the latest IIS5 hole.. stop the print service on the web server.. tomorrow I'll past the full documentation of this hole or patch to SP2 if you have win2k.. and yes they are trying to list the system dir.. check from which ip the request generated and restrict it from IIS (as a preventive measure) or trace it..
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6299730
the machine is NT 4 IIS 4
0
 
LVL 11

Expert Comment

by:thunderchicken
ID: 6299809
Someone wrote this script on your page

<%
dim item
for each item in request.servervariables
  response.write item & ":" & request.servervariables(item)&"<br>"
next
%>

Goto your Internet Manager and see if this script is in your 404 error default page.

Thats my thoughts on that.  Sounds like a sucky situation.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6299826
I wrote that script. The 404 page is run every time someone requests a page that is not on the server. It collects all server variables and the URL that the user is requesting. It then emails it to me. Thats were I got the info from.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6299833
Our concern is because someone attempted to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
 
the url looks like it maybe malicious
0
 
LVL 11

Expert Comment

by:thunderchicken
ID: 6299842
Have you tried resetting the 404 page through internet services manager?  Maybe see what's in it?
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6299855
We created the custom 404 page to inform us when a user attempts to access a page that does not exist. What happened is someone tried to access
http://my ip address/scripts/..A?../winnt/system32/cmd.exe?/c dir c:
on my server. My server recognized that it could not be found and redirected to my custom 404 page were it gathered the above information about the user and the unfound URL and then emailed it to us.

p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
0
 
LVL 5

Expert Comment

by:dgorin
ID: 6299864
Check out your server log files, you'll probably see lots of these kind of hack attempts.  As long as the response is 404, nothing bad happened.  There are a lot of break-in attempts going on these days.

This particular attempt would, if your server was misconfigured, allow the hacker to open the command program (the same program that opens a dos window in NT and 2K).  If successful, nothing good would follow.
0
 
LVL 2

Expert Comment

by:Fenatu
ID: 6300287
That's called an Extended Unicode directory transversal
vulnerability.

See this for more info:
http://www.securityfocus.com/vdb/bottom.html?vid=1806
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6301002
IIS4 is vulnerable too for that if not patched to the latest SP..
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6301006
and if you've set read permisssions for everyone in the system directory..
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6302252
What should the permissions be on the system directory or any other directory for that matter.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6302268
The default set permissions upon NT installation.. As a rule of thumb don't ever give everyone Permissions on directories on web servers and on shared directories on other servers..If NT is Administrated correctly it has a powerful security.. the leak in NT security is good administrators.
0
 
LVL 2

Expert Comment

by:CUTTHEMUSIC
ID: 6302278
Ann articles online on excactly how to set the permissions
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6302313
hmm.. search msdn on microsoft's site..
0
 

Author Comment

by:itDepartment
ID: 6309845
After further investigation w/ my host we found the someone was trying to compromise the entire network. No harm was done and I believe the individual was even identified. Thanks to everyone who helped.
0
 
LVL 20

Expert Comment

by:Silvers5
ID: 6312166
Hang the bastard :o)
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently decide that I needed a way to make my pages scream on the net.   While searching around how I can accomplish this I stumbled across a great article that stated "minimize the server requests." I got to thinking, hey, I use more than one…
Have you ever needed to get an ASP script to wait for a while? I have, just to let something else happen. Or in my case, to allow other stuff to happen while I was murdering my MySQL database with an update. The Original Issue This was written…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now