Snort mailing list archives
Re: spp_http_decode: IIS Unicode attack detected
From: Andrew.Hutchinson () mcmail vanderbilt edu
Date: Thu, 30 Aug 2001 16:57:15 -0500
Steve: Check out http://www.securityfocus.com/bid/1806 Basically, somebody is attempting a directory traversal attack on your IIS host, probably using the unicodexecute2.pl perl script. It appears from the alert that they're just attempting to assess whether you're vulnerable by passing a directory listing command (see the 'dir' parameter that they're passing). However, if you're host _is_ vulnerable, they'll be able to execute pretty much anything they please. Andrew Hutchinson CNE MCSE Informatics/NCS/Network Security Vanderbilt University Medical Center 615.936.2856 - voice 615.936.0643 - fax andrew.hutchinson () mcmail vanderbilt edu ** PGP Public Keyblock available upon request ** Steve Moran <steve.moran () csssoftware com> To: snort-users () lists sourceforge net Sent by: cc: snort-users-admin@lists.sourc Subject: [Snort-users] spp_http_decode: IIS Unicode attack detected eforge.net 08/30/2001 04:22 PM I see these all the time, I'm not sure what point of it is, here is a packet decode, any one have any idea? length = 66 000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 010 : 63 31 25 38 73 2E 2E 2F 77 69 6E 6E 74 2F 73 79 c1%8s../winnt/sy 020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F stem32/cmd.exe?/ 030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A c+dir HTTP/1.0.. 040 : 0D 0A .. Steve Moran Network Security CSS, Inc. (303) 526-5515 (work) (303) 526-3464 x132 (direct) (720) 244-7038 (cell) steve.moran () csssoftware com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- spp_http_decode: IIS Unicode attack detected Steve Moran (Aug 30)
- RE: spp_http_decode: IIS Unicode attack detected Ben Johansen (Aug 30)
- Re: spp_http_decode: IIS Unicode attack detected Olaf Schreck (Aug 31)
- <Possible follow-ups>
- Re: spp_http_decode: IIS Unicode attack detected Andrew . Hutchinson (Aug 30)