Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: spp_http_decode: IIS Unicode attack detected

From: Andrew.Hutchinson () mcmail vanderbilt edu
Date: Thu, 30 Aug 2001 16:57:15 -0500

Steve:

Check out http://www.securityfocus.com/bid/1806

Basically, somebody is attempting a directory traversal attack on your IIS
host, probably using the unicodexecute2.pl perl script.  It appears from
the alert that they're just attempting to assess whether you're vulnerable
by passing a directory listing command (see the 'dir' parameter that
they're passing).  However, if you're host _is_ vulnerable, they'll be able
to execute pretty much anything they please.

Andrew Hutchinson CNE MCSE
Informatics/NCS/Network Security
Vanderbilt University Medical Center
615.936.2856 - voice
615.936.0643 - fax
andrew.hutchinson () mcmail vanderbilt edu
** PGP Public Keyblock available upon request **



                                                                                                                        
                        
                    Steve Moran                                                                                         
                        
                    <steve.moran () csssoftware com>        To:     snort-users () lists sourceforge net                
                              
                    Sent by:                             cc:                                                            
                        
                    snort-users-admin@lists.sourc        Subject:     [Snort-users] spp_http_decode: IIS Unicode attack 
detected                
                    eforge.net                                                                                          
                        
                                                                                                                        
                        
                                                                                                                        
                        
                    08/30/2001 04:22 PM                                                                                 
                        
                                                                                                                        
                        
                                                                                                                        
                        



I see these all the time, I'm not sure what point of it is, here is a
packet
decode, any one have any idea?

 length = 66

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 63 31 25 38 73 2E 2E 2F 77 69 6E 6E 74 2F 73 79   c1%8s../winnt/sy
020 : 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F   stem32/cmd.exe?/
030 : 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D 0A   c+dir HTTP/1.0..
040 : 0D 0A                                             ..


Steve Moran
Network Security
CSS, Inc.
(303) 526-5515 (work)
(303) 526-3464 x132 (direct)
(720) 244-7038 (cell)
steve.moran () csssoftware com





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: