Vulnerability Development mailing list archives
Re: Curious Code Red Behavior with Star Office HTTPd
From: Ray Simard <ray.simard () sylvan-glade com>
Date: Mon, 06 Aug 2001 17:19:31 -0700
On Mon, 6 Aug 2001 17:06:19 -0400, "Tim" <webmaster () crazy-horse net> wrote:
While going through my logs I happened to notice an AOL address and decided ... Nothing unusual there.... Check out the 404 while i was testing for the Trojan aspect of the newer variant: ---------- HTTP Error 404 404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")
I'm 95% sure it has nothing to do with Star Office. It appears to be an ordinary HTTP request looking for a MS IIS server that is set up with a virtual directory rooted at the root of the C: drive and named c It then tries to execute a dir command to list out the contents of System32. I just tried it with the Peer Web server on my NT workstation. I created a virtual directory with the same name as the drive letter of my system partition (which isn't C:, though that's just circumstance). I then fired up IE and asked for: thishostname.mydomain.com/e/winnt/system32/cmd.exe?/c+dir (with the real names) and got a very pretty listing of the contents of my System32 directory. The Star Office HTTP server reported it simply because that was apparently the one that was listening on port 80 at the time. Needless to say, that virtual directory isn't there any more! (Though I firwall off all SYN packets sent to it anyway.) HTH, Ray Simard ray.simard () sylvan-glade com
Current thread:
- Curious Code Red Behavior with Star Office HTTPd Tim (Aug 06)
- Re: Curious Code Red Behavior with Star Office HTTPd Ray Simard (Aug 06)
- Re: Curious Code Red Behavior with Star Office HTTPd Ray Simard (Aug 10)