Re: Curious Code Red Behavior with Star Office HTTPd

[Ray Simard <ray.simard () sylvan-glade com>]

On Mon, 6 Aug 2001 17:06:19 -0400, "Tim"
<webmaster () crazy-horse net> wrote:

> While going through my logs I happened to notice an AOL address and decided
> ...
> Nothing unusual there....
> Check out the 404 while i was testing for the Trojan aspect of the newer
> variant:
> ----------
> HTTP Error 404
> 404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")

I'm 95% sure it has nothing to do with Star Office. It appears
to be an ordinary HTTP request looking for a MS IIS server
that is set up with a virtual directory rooted at the root of
the C: drive and named c It then tries to execute a dir
command to list out the contents of System32.

I just tried it with the Peer Web server on my NT workstation.
I created a virtual directory with the same name as the drive
letter of my system partition (which isn't C:, though that's
just circumstance). I then fired up IE and asked for:

thishostname.mydomain.com/e/winnt/system32/cmd.exe?/c+dir

(with the real names) and got a very pretty listing of the
contents of my System32 directory.

The Star Office HTTP server reported it simply because that
was apparently the one that was listening on port 80 at the
time.

Needless to say, that virtual directory isn't there any more!
(Though I firwall off all SYN packets sent to it anyway.)

HTH,

Ray Simard
ray.simard () sylvan-glade com