Educause Security Discussion mailing list archives

Re: Chinese dot-dot-slash attack on Windows 2000/IIS

From: Andrew Daviel <advax () TRIUMF CA>
Date: Fri, 12 Sep 2008 15:26:03 -0700

On Fri, 12 Sep 2008, Justin Azoff wrote:

Can't comment on the rest, but "B.A.C.K.D.O.O.R" was most likely just
the utf-16 representation of "BACKDOOR".. the .'s were probably 0x00


Yes, they were 0x00.
.. ah.. I just compared the log to a capture of myself logging on
using rdesktop.
It's just the local name of the computer used to login. One mystery
solved (either that's the name of their computer, or probably they are
coming through a trojan proxy that sets the machine name to that string.)


--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376  (Pacific Time)
Network Security Manager

Current thread:

Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 11)
- <Possible follow-ups>
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Justin Azoff (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Curt Wilson (Sep 16)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Jeni Li (Sep 26)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Delaney, Cherry L. (Sep 27)