RE: WEB-IIS cmd.exe access

[Laverdière Yvan <y.laverdiere () onf ca>]

You should pay attention to the HTTP return codes found in your web server
logs. This code should give you a good hint regarding the success (or not)
of the attack.

http://www.cknow.com/ckinfo/def_h/httpreturncodes.shtml

For example, a return code of 200 would be a good reason to grab a gun and
start hunting... :)

Hope this helps,

Yvan

-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld () yahoo com] 
Sent: Monday, October 07, 2002 8:57 AM
To: user snort
Subject: [Snort-users] WEB-IIS cmd.exe access

Hi Everybody,

This morning when I review some of the attacked on our
ISS server, I found this

HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n
Host: xxx.xxx.xx.297\

and so many more.

My question is does my ISS server has been exploited?
because most of the time.  I always see "Connection
Closed" so I dont bother but this time I'm little bit
worried.

I check also the log files on the ISS server but the
IP address of the attacker was not there.

All service pack has been installed on this machine I
I think).  I just want to be sure if my machine is not
exploited.

anyone can shed light on this matter would be highly
aprecciated.

Thanks in Advance.



=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users