itDepartment
asked on
URGENT weird url to my site
I have a custom 404 page that gathers information when someone accesses a url that does not exist. Here is what it gathered. Please look at the first few lines. I'm not sure what someone is attempting to do?
404 error generated:
http://my ip address/scripts/..A?../win
ALL_HTTP HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
ALL_RAW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
APPL_MD_PATH /LM/W3SVC/1/Root/myDomain.
APPL_PHYSICAL_PATH E:\virtualhosts\myDomain.c
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR my ip address
LOGON_USER
PATH_INFO /myDomain.com/www/tech/err
PATH_TRANSLATED E:\virtualhosts\myDomain.c
QUERY_STRING unfoundURL=http://my ip address/scripts/..%c0%af..
REMOTE_ADDR my ip address
REMOTE_HOST my ip address
REMOTE_USER
REQUEST_METHOD GET
SCRIPT_NAME /myDomain.com/www/tech/err
SERVER_NAME my ip address
SERVER_PORT 81
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.0
SERVER_SOFTWARE Microsoft-IIS/4.0
URL /myDomain.com/www/tech/err
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
HTTP_ACCEPT_LANGUAGE en-us
HTTP_HOST my ip address:81
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107)
HTTP_ACCEPT_ENCODING gzip, deflate
404 error generated:
http://my ip address/scripts/..A?../win
ALL_HTTP HTTP_ACCEPT:image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
ALL_RAW Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
APPL_MD_PATH /LM/W3SVC/1/Root/myDomain.
APPL_PHYSICAL_PATH E:\virtualhosts\myDomain.c
AUTH_PASSWORD
AUTH_TYPE
AUTH_USER
CERT_COOKIE
CERT_FLAGS
CERT_ISSUER
CERT_KEYSIZE
CERT_SECRETKEYSIZE
CERT_SERIALNUMBER
CERT_SERVER_ISSUER
CERT_SERVER_SUBJECT
CERT_SUBJECT
CONTENT_LENGTH 0
CONTENT_TYPE
GATEWAY_INTERFACE CGI/1.1
HTTPS off
HTTPS_KEYSIZE
HTTPS_SECRETKEYSIZE
HTTPS_SERVER_ISSUER
HTTPS_SERVER_SUBJECT
INSTANCE_ID 1
INSTANCE_META_PATH /LM/W3SVC/1
LOCAL_ADDR my ip address
LOGON_USER
PATH_INFO /myDomain.com/www/tech/err
PATH_TRANSLATED E:\virtualhosts\myDomain.c
QUERY_STRING unfoundURL=http://my ip address/scripts/..%c0%af..
REMOTE_ADDR my ip address
REMOTE_HOST my ip address
REMOTE_USER
REQUEST_METHOD GET
SCRIPT_NAME /myDomain.com/www/tech/err
SERVER_NAME my ip address
SERVER_PORT 81
SERVER_PORT_SECURE 0
SERVER_PROTOCOL HTTP/1.0
SERVER_SOFTWARE Microsoft-IIS/4.0
URL /myDomain.com/www/tech/err
HTTP_ACCEPT image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-gsarcade-lau
HTTP_ACCEPT_LANGUAGE en-us
HTTP_HOST my ip address:81
HTTP_USER_AGENT Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt; AtHome0107)
HTTP_ACCEPT_ENCODING gzip, deflate
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
the values in the query string like %c0 and others with the % sign are characters that are encoded to be passed through the query string. The user did not type these usually. to find out what character they are find the what value c0 is in hex then find out what character has this ascii value.
has this method worked in the past? I tried it myself on my intranet server and it does not do anything except gig me a 404.
they are trying to use the latest IIS5 hole.. stop the print service on the web server.. tomorrow I'll past the full documentation of this hole or patch to SP2 if you have win2k.. and yes they are trying to list the system dir.. check from which ip the request generated and restrict it from IIS (as a preventive measure) or trace it..
the machine is NT 4 IIS 4
Someone wrote this script on your page
<%
dim item
for each item in request.servervariables
response.write item & ":" & request.servervariables(it
next
%>
Goto your Internet Manager and see if this script is in your 404 error default page.
Thats my thoughts on that. Sounds like a sucky situation.
<%
dim item
for each item in request.servervariables
response.write item & ":" & request.servervariables(it
next
%>
Goto your Internet Manager and see if this script is in your 404 error default page.
Thats my thoughts on that. Sounds like a sucky situation.
I wrote that script. The 404 page is run every time someone requests a page that is not on the server. It collects all server variables and the URL that the user is requesting. It then emails it to me. Thats were I got the info from.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
Our concern is because someone attempted to access
http://my ip address/scripts/..A?../win
the url looks like it maybe malicious
http://my ip address/scripts/..A?../win
the url looks like it maybe malicious
Have you tried resetting the 404 page through internet services manager? Maybe see what's in it?
We created the custom 404 page to inform us when a user attempts to access a page that does not exist. What happened is someone tried to access
http://my ip address/scripts/..A?../win
on my server. My server recognized that it could not be found and redirected to my custom 404 page were it gathered the above information about the user and the unfound URL and then emailed it to us.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
http://my ip address/scripts/..A?../win
on my server. My server recognized that it could not be found and redirected to my custom 404 page were it gathered the above information about the user and the unfound URL and then emailed it to us.
p.s. CUTTHEMUSIC & itDepartment are both part of the same company thats why I am replying to this thread.
Check out your server log files, you'll probably see lots of these kind of hack attempts. As long as the response is 404, nothing bad happened. There are a lot of break-in attempts going on these days.
This particular attempt would, if your server was misconfigured, allow the hacker to open the command program (the same program that opens a dos window in NT and 2K). If successful, nothing good would follow.
This particular attempt would, if your server was misconfigured, allow the hacker to open the command program (the same program that opens a dos window in NT and 2K). If successful, nothing good would follow.
That's called an Extended Unicode directory transversal
vulnerability.
See this for more info:
http://www.securityfocus.com/vdb/bottom.html?vid=1806
vulnerability.
See this for more info:
http://www.securityfocus.com/vdb/bottom.html?vid=1806
IIS4 is vulnerable too for that if not patched to the latest SP..
and if you've set read permisssions for everyone in the system directory..
What should the permissions be on the system directory or any other directory for that matter.
The default set permissions upon NT installation.. As a rule of thumb don't ever give everyone Permissions on directories on web servers and on shared directories on other servers..If NT is Administrated correctly it has a powerful security.. the leak in NT security is good administrators.
Ann articles online on excactly how to set the permissions
hmm.. search msdn on microsoft's site..
ASKER
After further investigation w/ my host we found the someone was trying to compromise the entire network. No harm was done and I believe the individual was even identified. Thanks to everyone who helped.
Hang the bastard :o)
REMOTE_HOST my ip address
someone using your ip address like from your machine or a machine on your network