Sorry for the site being down temporarily. I did not apply the hotfix as
Russ had referenced earlier to prevent the IIS crash on telnet to 80,
"GET ../..". It has been applied now, and GET ../.. does not crash
the machine.
This attack causes Dr. Watson to display an alert window and to log an
error: "The application, exe\inetinfo.dbg, generated an application error
The error occurred on 12/11/1996 @ 20:30:50.318 The exception generated
was c0000005 at address 53984655 (TCP_AUTHENT::TCP_AUTHENT"
The last entries into the log are:
206.154.250.46, -, 12/11/96, 20:12:26, W3SVC, WWW, 205.158.61.35, 109608,
291, 172241, 200, 0, GET, /guest/whitepapers/NT2.doc, -,
204.252.155.133, -, 12/11/96, 20:19:34, W3SVC, WWW, 205.158.61.35, 0, 170,
847, 200, 0, GET, /Default.htm, -,
204.252.155.133, -, 12/11/96, 20:19:39, W3SVC, WWW, 205.158.61.35, 4667,
199, 962, 200, 0, GET, /default.asp, -,
204.252.155.133, -, 12/11/96, 20:19:41, W3SVC, WWW, 205.158.61.35, 10, 236,
715, 200, 0, GET, /title.htm, -,
204.252.155.133, -, 12/11/96, 20:19:41, W3SVC, WWW, 205.158.61.35, 10, 234,
1647, 200, 0, GET, /toc.htm, -,
204.252.155.133, -, 12/11/96, 20:19:41, W3SVC, WWW, 205.158.61.35, 10, 235,
2924, 200, 0, GET, /main.htm, -,
204.252.155.133, -, 12/11/96, 20:19:43, W3SVC, WWW, 205.158.61.35, 3976,
287, 1092, 200, 0, GET, /images/HDSlogo_icon.gif, -,
204.252.155.133, -, 12/11/96, 20:19:44, W3SVC, WWW, 205.158.61.35, 3255,
277, 276, 200, 0, GET, /images/rule.gif, -,
204.252.155.133, -, 12/11/96, 20:19:46, W3SVC, WWW, 205.158.61.35, 5058,
317, 337, 200, 0, GET, /isapi/counter/counter.exe,
link=page2&style=lcd&width=7,
204.252.155.133, -, 12/11/96, 20:20:10, W3SVC, WWW, 205.158.61.35, 28430,
267, 1112, 200, 0, GET, /guest/whitepap.htm, -,
204.252.155.133, -, 12/11/96, 20:20:12, W3SVC, WWW, 205.158.61.35, 28621,
272, 262, 200, 0, GET, /images/spacer.gif, -,
204.252.155.133, -, 12/11/96, 20:20:12, W3SVC, WWW, 205.158.61.35, 27299,
269, 351, 200, 0, GET, /images/pdf.gif, -,
204.252.155.133, -, 12/11/96, 20:20:13, W3SVC, WWW, 205.158.61.35, 0, 272,
262, 200, 0, GET, /images/spacer.gif, -,
204.252.155.133, -, 12/11/96, 20:22:19, W3SVC, WWW, 205.158.61.35, 125220,
287, 169659, 200, 0, GET, /guest/whitepapers/NTsec.htm, -,
204.252.155.133, -, 12/11/96, 20:26:18, W3SVC, WWW, 205.158.61.35, 368631,
258, 516, 200, 0, GET, /blank.htm, -,
The last entry is pretty darn near the crash time of 20:30:50.
Interestingly 204.252.155.133 traces out:
#trace 204.252.155.133
Type escape sequence to abort.
Tracing the route to 204.252.155.133
1 REGION-1B-RTR-S11S1.INTERNEX.NET (205.158.1.157) 4 msec 8 msec 8 msec
2 REGION-1A-RTR-F1S0.INTERNEX.NET (205.158.0.4) 4 msec 4 msec 4 msec
3 SAN-JOSE3.CA.ALTER.NET (198.32.136.42) 12 msec 8 msec 8 msec
4 FDDI0-0.SAN-JOSE8.CA.ALTER.NET (137.39.27.21) 288 msec 244 msec 8 msec
5 *
KOREAPC-GW.ALTER.NET (137.39.170.90) 196 msec 204 msec
6 DOOLEY.KOL.CO.KR (204.252.155.11) 204 msec 204 msec 200 msec
7 204.252.155.133 432 msec 428 msec 432 msec
Grepping my Eudora firewall list for KOL.CO.KR finds a message:
______________________
From: Lee Seong Koo [SMTP:klbcardl @
hitel .
kol .
co .
kr]
Sent: Monday, December 09, 1996 10:10 PM
To: Mark Joseph Edwards
Subject: Re: Another IIS Bug
Hi alls
I tried "telnet www.server.my 80" and "GET ../.."
My server is crashed.
and I tried "telnet www.microsoft.com 80" and "GET ../.."
but, MS' www server was not crashed.
Why not?
______________________
Tsk,tsk.
Bill Stout
_______________________________________________________________________________
Senior Systems Admin NT/Backoffice/Solaris/WWW-Db/Firewalls/Cisco/VM-UNIX/VMS
Hitachi Data Systems 408-970-4822 --- Disclaimer: I speak only for myself
|
|
