http exploits: Glad I'm on a Mac

toweltowel
Posted:
in General Discussion edited January 2014
Out of curiousity, I took a look at the apache access_log of my DualG4 web server today. Man, am I happy I'm not responsible for any Windows/IIS boxes. My log was probably 90% attempted rootings/exploits by weight. Granted, it's basically a personal webserver, not too much traffic (mostly photos), but then it's just a personal webserver, behind a major university's defenses. Line after line of IIS explots. I didn't appreciate just how widespread automated attacks like these were.



Some of the more interesting ones were:
Code:


SEARCH /\\x90\\x02\\xb1\\....



Code:


OPTIONS / HTTP/1.1

PROPFIND /c%24 HTTP/1.1 or PROPFIND /admin%24 HTTP/1.1



Code:


GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir



Code:


GET /scripts/nsiislog.dll



Code:


CONNECT 1.3.3.7:1337 HTTP/1.0



Code:


GET /Internet_Security_Scanner-Disocvery/ HTTP/1.0







I assume the last two are someone's idea of a joke and/or a new variety of spam. Plus there was all kinds of other random GET requests for nonexistant directories and very existant websites (yahoo, google, others).



I swear I'll never let that machine get behind on security updates again. And thank god it's a Mac.

Comments

  • Reply 1 of 5
    mattjohndrowmattjohndrow Posts: 1,618member
    umm, translation?
  • Reply 2 of 5
    toweltowel Posts: 1,479member 
    Code:


    SEARCH /\\x90\\x02\\xb1\\....



    This one alone was two-thirds of the log file by weight/size; that "\\x02\\xb1" part was usually repeated several hundred-to-thousand times in each request.



    Some quick Googleing turned up this thread at MaxOSXHints and this one from the RedHat mailing list which says it's an IIS WebDAV exploit.



    I don't why why other requests tried to fetch various windows directories and files ("nsiislog", "/winnt...") but I'm guessing they were up to no good.



    I have no idea about the "PROPFIND" request, but to my layman's eye it seems to be trying to log in as admin. Google wasn't much help there.



    The "connect to 1.3.3.7 server" must be a joke from some 1337 h4x0r, and the last one looks to me like a spam. Get it? "GET internet_security_scanner"? Next will be "GET a_cool_refreshing_coke".



    Maybe an apache guru can shed some more light on this stuff.
  • Reply 3 of 5
    cubedudecubedude Posts: 1,556member
    I run a small web server, and ever since I set it up I've been getting requests for information like that.
  • Reply 4 of 5
    stoostoo Posts: 1,490member 
    Code:


    GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir







    I've used this exploit (or one similar to it) on my home network because I couldn't be bothered to set up file sharing between my Mac and PC.
  • Reply 5 of 5
    snoopysnoopy Posts: 1,901member
    I wonder whether anyone ever tried writing a program that would simulate a Windows PC's response, which would send back fake information? Essentially, the Mac server would be playing a game with any attacker, and who know how far such a game could be made to go?



Sign In or Register to comment.