[lug] possible intrusion

D. Stimits stimits at idcomm.com
Thu Jul 19 13:18:45 MDT 2001 

Deva Samartha wrote:
> 
> Thank you for your information - security focus search on shellcode results
> in 800 matches. In the meantime, I got about 15 of the NNNN's, more popping
> again and again. -
> 
> If you know the feeling and possibly more about the exploit, could I
> possibly bribe you with  ?
> 
> <n> cans of <beverage>
> <n> ::= 1,2,3..12
> <beverage> ::= <beer> | <soft drink>
> ...
> 
> or would that insult you?

I'm currently unemployed, and my "bribability" index is quite high at
the moment. But there isn't much I could help with here, the crackers
are fairly stupid if they are attacking a linux box with this.

One of the keys to searching is the default.ida, the ida I believe
refers to IIS's custom "indexing service". During my prior job, an
interesting (and related to the exploit) feature of the IIS was that it
blindly fed arguments to the applications we wrote; it had no check of
argument count on relevant functions. IIS tends to blindly pass
arguments, and any application that fails to match it had better be able
to deal with the excess on the stack, because IIS has little or no
argument checking safety (it is something like an unchecked printf). I
know some sort of security fix was issued by MS, so this might no longer
be true...but ONLY if you got the updates. Without the updates, there's
very little you can do.

It is harmless to apache and linux. And for trivia, I have had 3
different ip's (all different domains) try to get to my port 80 during
the time it took to write this reply...so it is a common thing it seems.
Oops, make that 4...I am getting another in just the time it took to
write this one paragraph. My guess is that infected machines are doing
automated exploration of domains. Even a script kiddie would be smart
enough to not attack a linux machine with IIS bugs.

D. Stimits, stimits at idcomm.com

> 
> To reveal a.) is it dangerous, b.) a possible search criteria to narrow
> down the search for the exploit.
> 
> Maybe they just enjoy making me freak out?
> 
> I start reading the security focus in the meantime.
> 
> Thanks
> 
> Samartha
> 
> >You may wish to subscribe to some security mailing lists. I recommend some of
> >the Security Focus lists -- www.securityfocus.com. Specifically, the
> >incidents,
> >and the bugtraq lists are very helpful. This is a known exploit.
> >
> >-brad
> >
> > > I am getting a few of these on port 80:
> > >
> > > [19/Jul/2001:07:48:26 -0600] "GET /default.ida?NNNNNNNN
> > > (many more NNN's).....NNNN%u9090%u6858%ucbd3%u7801%u9090%u.....
> > >
> > > which looks like buffer overflow intrusion.
> > >
> > > Does anyone know more about this?
> > >
> > > thanks,
> > >
> > > Samartha
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list