Logs show - - SEARCH /\x90\x02 aka:WebDAV exploit

Posted: Tue Jun 29, 2004 8:52 pm

If you see a entry like this in your logs:
299.*.*.* - - [06/Jun/2004:10:39:23 -0500] "SEARCH /\x90\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x02\xb1\x0
That goes on and on and on!

This is appearently the IIS WebDAV exploit.
Affected Software:
• Microsoft Windows NT 4.0
• Microsoft Windows NT 4.0 Terminal Server Edition
• Microsoft Windows 2000
• Microsoft Windows XP

Not Affected Software:
• Microsoft Windows Server 2003
• *NIX OS's
MS patches available:
http://www.microsoft.com/technet/security/bulletin/ms03-007.mspx

Source of details found here:
http://forums.macosxhints.com/showthread.php?t=22371
http://www.webmasterworld.com/forum39/2173.htm

One interesting way (for apache users) suggested to rid yourself of those entries in your logs was to add something like this to your httpd.conf assumes mod_rewrite enabled. Replace http://www.microsoft.com with where ever you'd like to send these requests.

Code:




<IfModule mod_rewrite.c>


RedirectMatch permanent (.*)cmd.exe(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)root.exe(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/_vti_bin\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/scripts\/\.\.(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/_mem_bin\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/msadc\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/MSADC\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/c\/winnt\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/d\/winnt\/(.*)$ http://www.microsoft.com


RedirectMatch permanent (.*)\/x90\/(.*)$ http://www.microsoft.com


</IfModule>

We could also do this in htaccess but whats the point?

I posted this because this has come up a few times here either in the chat or the forums.

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

I have tried to trap that fool thing in .htaccess using a regex but haven't been able to find the magic to do it Mad

Potentially dDosing MS is an interesting approach Laughing

but I want to figure out the .htaccess trap and work it into Sentinel RavensScripts

Posted: Wed Jun 30, 2004 10:26 am

Something like this maybe? Seems like a lot of code just to catch this one bugger.
$_SEARCH = $GLOBALS['HTTP_POST_VARS']['SEARCH'] ||
$_SERVER['SEARCH'] ||
$HTTP_GET_VARS['SEARCH'] ||
$_SEARCH;
$querystring = urldecode($querystring);
if(isset($_SEARCH) && stristr($querystring,'x90') OR stristr($querystring,'xb1')) {
if($ab_config['activate_filters'] > 1) {
block_ip($ip, $banuser, $agent, $bantime, $reason, $ab_config['activate_filters']);
} else {
write_mail($remote, $banuser, $bantime, $reason);
Header("Location: index.php");
}
}

Posted: Wed Jun 30, 2004 10:42 am

A regex or preg_match will make it much simpler. I just haven't had time to get back on it Smile

Regular Joined: Aug 23, 2003 Posts: 77

Raven wrote:

I have tried to trap that fool thing in .htaccess using a regex but haven't been able to find the magic to do it Mad

Potentially dDosing MS is an interesting approach Laughing

but I want to figure out the .htaccess trap and work it into Sentinel RavensScripts

i love it, Dos Microsoft. Laughing

Posted: Wed Jun 30, 2004 4:16 pm

Heres another solution www.apache.org Laughing

EDIT: The apache 2.xx just had a DoS hole that was patched i herd.

Posted: Wed Jun 30, 2004 4:24 pm

use redirect, if any1 try to expolit straight to Microsoft.

Posted: Wed Jun 30, 2004 8:13 pm

This is fast and kills 2 like birds I know the TRACE is an old exploit but worth inclusion. I think CURL and LADP might use the SEARCH method but thats got to be about it for legitimate uses of it.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE [NC]
RewriteCond %{REQUEST_METHOD} ^SEARCH [NC]
RewriteRule ^.* - [F,L]

Posted: Wed Jun 30, 2004 8:21 pm

is there use Redirect in there to point microsoft.com Laughing

Posted: Wed Jun 30, 2004 8:44 pm

ROFLMAO! No
Change the rewrite rule to
RewriteRule ^.*$ /www.microsoft.com [L]
But don't tell em I had anything to do with it! Bang Head

Posted: Wed Jun 30, 2004 8:51 pm

nobody knows it there, do you love it? Wink

Posted: Wed Jun 30, 2004 8:53 pm

Except that you keep advertizing it Rolling Eyes

Posted: Fri Jul 02, 2004 10:36 am

Hate to bump this thread but I was thinking about this and I think I came up with the simplest solution for Apache users. This should get rid of the huge entries in the Apache logs caused by this WebDav exploit attempt.

Just add this to the htaccess file:
<LimitExcept GET PUT POST>
Require valid-user
</LimitExcept>
or
<LimitExcept GET PUT POST>
deny from all
</LimitExcept>

Which should disallow all request methods except GET PUT POST. My testing with HEAD and TRACE seemed less successful so I'm thinking they are excluded from the LimitExcept directive by default possibly?

This is just a little twist on the Limit clause many of us use.
<Limit GET PUT POST>
Order Allow,Deny
Allow from all
</Limit>

Posted: Fri Jul 02, 2004 5:19 pm

Ok YIKES... Shocked

Im freakin out now, i frogot to do this last night and i wake up to find someone tried it 9 times on me!!!

Same IP and the weirdest thing the IP is comming from the same ISP i have and the same server that my IP comes out of... This could be someone down my freakn road attacking me!!!!!

Im just a little annoyed thats all!!!!!!!!!

Should i report their IP to my ISP?

Client Joined: Apr 10, 2004 Posts: 649 Location: UK

You sure it's not you? rofl

Posted: Fri Jul 02, 2004 5:33 pm

No i checked that Laughing

And just got attacked with this..

Code:




69.136.173.232 - - [02/Jul/2004:18:04:19 -0400] "GET /default.ida?


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX


XXXXXXXXXXXX%u9090%u6858%ucbd3%u7801%u9090%u6858%


ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%


u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 


404 205

All im tryin to do is run a lil website out of my house and i get attacked!

Posted: Fri Jul 02, 2004 5:36 pm

it appear 404 mean File Not found.

Posted: Fri Jul 02, 2004 5:39 pm

That is ida which only affected microsoft servers and is about 3 years old. Hardly think you have to worry. Look up ida on google.

Posted: Fri Jul 02, 2004 5:40 pm

why people use IIS Expolit in apache server? Bang Head

Posted: Fri Jul 02, 2004 5:40 pm

Im soo glad i like Apache!!!

Posted: Mon Jul 05, 2004 9:51 pm

Six, How can we tell that this is getting forwarded to MS by looking at the logs.

BC i got attacked a lot today and just wanted to make sure its working right.

Posted: Mon Jul 05, 2004 10:16 pm

Hmn, good question. I don't know of a browser that lets you change the request method to Search. Sam Spade lets you use delete,options,get,trace and head I think.

Posted: Tue Jul 06, 2004 12:54 am

Im sure theres some kinda nasty firefox extension that can do the job.. Ill look arround.. Hell someone made a proxy switcher Twisted Evil

Posted: Wed Jul 07, 2004 6:07 am

Ok im just a bit scared.. I keep getting attacked by local IP addresses. So far all comming from Ohio, and near by!!!! Oh and their all comming from Earthlink, that would be my ISP!!!!!!!!!!!!

I don think i need to call the cops yet, yet that is. Maybe i need a body gaurd or something Mr. Green

Posted: Wed Jul 07, 2004 8:47 am

If its like the other IDA there are probably just a bunch of nimda infected IIS servers in your IP range. Not much ya can do about it really. Just make sure your patched up to date.