Educause Security Discussion mailing list archives

Re: Chinese dot-dot-slash attack on Windows 2000/IIS

From: Justin Azoff <JAzoff () UAMAIL ALBANY EDU>
Date: Fri, 12 Sep 2008 16:46:18 -0400

On Thu, 2008-09-11 at 19:08 -0700, Andrew Daviel wrote:

(previously posted to UNISOG)

We had some guy coming in from Guangdong over Windows Terminal Server, with
"B.A.C.K.D.O.O.R" buried in the network traffic. I thought we had a trojan
server, but the server binary looks legit and the string was in incoming
traffic, so maybe he's got a password but was using some funny client. Then we
found some highly suspicious HTTP traffic:


Can't comment on the rest, but "B.A.C.K.D.O.O.R" was most likely just
the utf-16 representation of "BACKDOOR".. the .'s were probably 0x00

--
-- Justin Azoff
-- Network Performance Analyst

Current thread:

Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 11)
- <Possible follow-ups>
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Justin Azoff (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Andrew Daviel (Sep 12)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Curt Wilson (Sep 16)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Jeni Li (Sep 26)
- Re: Chinese dot-dot-slash attack on Windows 2000/IIS Delaney, Cherry L. (Sep 27)