Security Incidents mailing list archives
Re: IIS Directory traversal vulnerability
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Wed, 25 Jul 2001 15:31:02 -0400 (EDT)
It's just easier to use. You can use the unicode bug to execute cmd.exe from any directory with execute permissions, but copying cmd to a file in /scripts/ has the ease of use of not having to worry about the unicode and cmd, so you can execute commands on it without (at least, that's their hope) triggering an IDS, or the admin noticing REALLY strange entries in the log. Maybe the only partially strange logs won't tip them off. Plus, there's the added benefit that even when patches are installed in the machine, the hacker has easy access right in because no unicode is necessary to use dr.exe. Again, assuming that dr.exe really is cmd.exe. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Wed, 25 Jul 2001, Joe Smith wrote:
Lee, Very likely, they copied winnt\system32\cmd.exe to \scripts\dr.exe. If you check file sizes and dates modified, they should be identical. The reason why is because they cannot run cmd.exe from the system32 directory, they have to run it from the scripts folder (I think. Can anyone else confirm this?). If dr.exe is vastly different than cmd.exe, then I've got no clue. -smith --- Lee Evans <lee () vital co uk> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Any advice would be much appreciated - a couple of our boxes seem to have been exploited using a directory traversal vulnerabiltiy, by uploading a file called "dr.exe", and then passing this commands to remove files from the box. I have recovered our logfiles and the data fortunately, and I am still examining the log's. Is this dr.exe thing a known attack, (I can't seem to find anything about it).? The attacked boxes did have all the latest patches applied to them, and I double checked this during the code red crisis, and applied any that were missing. Any information would be much appreciated. Regards Lee - -- Lee Evans Vital Online Ltd This message is intended only for the use of the person(s) ("The intended recipient(s)") to whom it is addressed. It may contain information which is privileged and confidential within the meaning of applicable law. If you are not the intended recipient, please contact the sender as soon as possible. The views expressed in this communication may not necessarily be the views held by Vital Online Ltd. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.orgiD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru+QqVQuyw/IhvuMQfwnP7lhc= =Zel8 -----END PGP SIGNATURE---------------------------------------------------------------------------------This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com__________________________________________________ Do You Yahoo!? Make international calls for as low as $.04/minute with Yahoo! Messenger http://phonecard.yahoo.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS Directory traversal vulnerability Lee Evans (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)
- Re: IIS Directory traversal vulnerability Jordan K Wiens (Jul 25)
- Re: IIS Directory traversal vulnerability Jon Zobrist (Jul 25)
- RE: IIS Directory traversal vulnerability Bryan Allerdice (Jul 25)
- Re: IIS Directory traversal vulnerability Lee Evans (Jul 26)
- <Possible follow-ups>
- Re: IIS Directory traversal vulnerability Reverend Lola (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)