Re: IIS on windows 2003

[John Doe <security.department () tele2 ch>]

Ricardo Montenegro am Montag, 19. Dezember 2005 22.24:
> Is atack?
>
> 2005-12-13 12:48:30 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
> /samples/............/winnt/system32/cmd.exe /c+dir+c:\ 80 -
> 82.163.230.113 <http://82.163.230.113> - 404 0 3
> 2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
> /scripts..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113
> <http://82.163.230.113> - 404 0 3
> 2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
> /scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113
> <http://82.163.230.113> - 404 0 3

It's a try to execute cmd.exe, and since it's improbable that you have such a 
link anywhere to your site, it's a check for a vulnerability (rather than a 
real attack, I think).  

As you can see, there are several possibilities tried to traverse paths by 
circumventing (dumb) anti path traversal algorithms. This means that no 
attack vector is known yet, but "only" tried. 

So, it looks like coming from a script kiddie. I see such tries every day in 
the (apache) logs. 

joe

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------