Snort mailing list archives

WEB-IIS cmd.exe access

From: Alwin Raymundo <alrayworld () yahoo com>
Date: Mon, 7 Oct 2002 06:57:16 -0700 (PDT)

Hi Everybody,

This morning when I review some of the attacked on our
ISS server, I found this

HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n
Host: xxx.xxx.xx.297\

and so many more.

My question is does my ISS server has been exploited?
because most of the time.  I always see "Connection
Closed" so I dont bother but this time I'm little bit
worried.

I check also the log files on the ISS server but the
IP address of the attacker was not there.

All service pack has been installed on this machine I
I think).  I just want to be sure if my machine is not
exploited.

anyone can shed light on this matter would be highly
aprecciated.

Thanks in Advance.



=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

WEB-IIS cmd.exe access Alwin Raymundo (Oct 07)
- <Possible follow-ups>
- RE: WEB-IIS cmd.exe access Laverdière Yvan (Oct 07)
- RE: WEB-IIS cmd.exe access Brown, Bobby (US - Hermitage) (Oct 10)