Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Is someone hacking?

From: "Patric Svensson" <patric.svensson () nt se>
Date: Wed, 2 Jan 2002 11:44:28 +0100
Hello!
 
I get a lot of alerts like this: WEB-IIS cmd.exe access and like this
WEB-IIS CodeRed v2 root.exe access. How will I know if the server has
been hacked?
 
The payload look like this: "GET
/scripts/..%2f../winnt/system32/cmd.exe?/c+dir r HTTP/1.0..Host:
www..Connnection: close.." 
For the "WEB-IIS cmd.exe access" alert. If anyone could help me with
this I would be very happy.
 
Best
Patric Svensson
Previous By Date Next
Previous By Thread Next

Current thread: