Security Basics mailing list archives
Re: IIS on windows 2003
From: John Doe <security.department () tele2 ch>
Date: Wed, 21 Dec 2005 12:17:08 +0100
Ricardo Montenegro am Montag, 19. Dezember 2005 22.24:
Is atack? 2005-12-13 12:48:30 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD /samples/............/winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113 <http://82.163.230.113> - 404 0 3 2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD /scripts..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113 <http://82.163.230.113> - 404 0 3 2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113 <http://82.163.230.113> - 404 0 3
It's a try to execute cmd.exe, and since it's improbable that you have such a link anywhere to your site, it's a check for a vulnerability (rather than a real attack, I think). As you can see, there are several possibilities tried to traverse paths by circumventing (dumb) anti path traversal algorithms. This means that no attack vector is known yet, but "only" tried. So, it looks like coming from a script kiddie. I see such tries every day in the (apache) logs. joe --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- IIS on windows 2003 Ricardo Montenegro (Dec 20)
- Re: IIS on windows 2003 Gaddis, Jeremy L. (Dec 21)
- Re: IIS on windows 2003 John Doe (Dec 21)