Snort mailing list archives

Re: what does this mean

From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 5 Apr 2002 14:57:11 -0700 (MST)

On Fri, 5 Apr 2002, Omolayo Salako wrote:

i am getting a lot of this on one of my sensors, does this mean someone is
trying to do directory listing on my web server

47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
25 33 35 25 36 33 2E 2E 2F 77 69 6E 6E 74 2F 73   %35%63../winnt/s
79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F   ystem32/cmd.exe?
2F 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D   /c+dir HTTP/1.0
0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E   .Host: www.Conn
6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A   nection: close.
0D 0A


Generally, yes.  If the attacker gets back a directory listing, then they
know your server is vulnerable.

In particular, this attack is most frequently performed by the Nimda worm,
as part of its spreading mechanism.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

what does this mean Omolayo Salako (Apr 05)
- Re: what does this mean krista l merrill (Apr 05)
- Re: what does this mean Ryan Russell (Apr 05)
- Re: what does this mean Onie Camara (Apr 05)
- <Possible follow-ups>
- RE: what does this mean McCammon, Keith (Apr 05)
- RE: what does this mean Andrew Blevins (Apr 05)