Snort mailing list archives
RE: WEB-IIS cmd.exe access
From: "Brown, Bobby (US - Hermitage)" <bobbrown () deloitte com>
Date: Mon, 7 Oct 2002 09:13:14 -0500
This is a constant scanning attempt to see if the server can be exploitted. If the directory listing comes back to the user, the server will accept cmd.exe commands and exploit will continue. it is looking for Nimda type exploited machines by looking for the IIS "c" virtual root. Bobby -----Original Message----- From: Alwin Raymundo [mailto:alrayworld () yahoo com] Sent: Monday, October 07, 2002 8:57 AM To: user snort Subject: [Snort-users] WEB-IIS cmd.exe access Hi Everybody, This morning when I review some of the attacked on our ISS server, I found this HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n Host: xxx.xxx.xx.297\ and so many more. My question is does my ISS server has been exploited? because most of the time. I always see "Connection Closed" so I dont bother but this time I'm little bit worried. I check also the log files on the ISS server but the IP address of the attacker was not there. All service pack has been installed on this machine I I think). I just want to be sure if my machine is not exploited. anyone can shed light on this matter would be highly aprecciated. Thanks in Advance. ===== Alwin Raymundo __________________________________________________ Do you Yahoo!? New DSL Internet Access from SBC & Yahoo! http://sbc.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users - This message (including any attachments) contains confidential information intended for a specific individual and purpose, and is protected by law. - If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS cmd.exe access Alwin Raymundo (Oct 07)
- <Possible follow-ups>
- RE: WEB-IIS cmd.exe access Laverdière Yvan (Oct 07)
- RE: WEB-IIS cmd.exe access Brown, Bobby (US - Hermitage) (Oct 10)