![snort logo](/images/snort-logo.png)
Snort mailing list archives
RE: WEB-IIS cmd.exe access
From: Laverdière Yvan <y.laverdiere () onf ca>
Date: Mon, 7 Oct 2002 10:41:47 -0400
You should pay attention to the HTTP return codes found in your web server logs. This code should give you a good hint regarding the success (or not) of the attack. http://www.cknow.com/ckinfo/def_h/httpreturncodes.shtml For example, a return code of 200 would be a good reason to grab a gun and start hunting... :) Hope this helps, Yvan -----Original Message----- From: Alwin Raymundo [mailto:alrayworld () yahoo com] Sent: Monday, October 07, 2002 8:57 AM To: user snort Subject: [Snort-users] WEB-IIS cmd.exe access Hi Everybody, This morning when I review some of the attacked on our ISS server, I found this HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n Host: xxx.xxx.xx.297\ and so many more. My question is does my ISS server has been exploited? because most of the time. I always see "Connection Closed" so I dont bother but this time I'm little bit worried. I check also the log files on the ISS server but the IP address of the attacker was not there. All service pack has been installed on this machine I I think). I just want to be sure if my machine is not exploited. anyone can shed light on this matter would be highly aprecciated. Thanks in Advance. ===== Alwin Raymundo __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS cmd.exe access Alwin Raymundo (Oct 07)
- <Possible follow-ups>
- RE: WEB-IIS cmd.exe access Laverdière Yvan (Oct 07)
- RE: WEB-IIS cmd.exe access Brown, Bobby (US - Hermitage) (Oct 10)