Security Incidents mailing list archives
Re: A small quandary
From: gminick <gminick () underground org pl>
Date: Sat, 7 Dec 2002 19:27:40 +0100
On Wed, Dec 04, 2002 at 08:30:08PM -0800, Mahoney, Paul wrote: [...]
/scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 - /cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 - /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\ My question to everyone out there is would anyone be able to tell me if this kind of attack has the fingerprints of any known software/viruses in the field or is it a deliberate attempt to gain access to my clients site?
What you're seeing is a work of some vulnerability scanner, and it looks like it checks for dozens of possible vulnerabilities like directory traversals (i.e: <http://www.kb.cert.org/vuls/id/111677>, <http://online.securityfocus.com/bid/1806/exploit/>) and vulnerabilities in CGI scripts. Such scanners are doing things as they were blind. It isn't important what kind of software you're using, that tool probes you as long as one of its methods works against your server. If your server answered with http code 404 it means that there's no such script of file on your server. What's also important there exists attack against windoze boxes and against unix/linux ones. If you're running apache on linux all those "/scripts/.%252e/.%252e /winnt/system32/cmd.exe?/c+dir+c:\\" can't hurt you. If you're interested in exploring those malicious toys take a look at <http://www.ussrback.com/files.html>, <http://packetstormsecurity.nl/UNIX/cgi-scanners/> and <http://www.zone-h.org/en/download/category=3/>. -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- A small quandary Mahoney, Paul (Dec 05)
- RE: A small quandary Jerry Shenk (Dec 08)
- RE: A small quandary Rob Shein (Dec 08)
- Re: A small quandary H C (Dec 08)
- RE: A small quandary Bojan Zdrnja (Dec 09)
- Re: A small quandary Mike Katz (Dec 08)
- Re: A small quandary gminick (Dec 08)
- Odd entries in my Security Router logs Julian Young (Dec 09)