[lug] Interesting Access Message
Calvin Dodge
caldodge at fpcc.net
Tue Jul 31 11:11:01 MDT 2001
On Tue, Jul 31, 2001 at 04:59:24PM +0000, Greg Horne wrote:
> I was going through my server logs (apache on linux) and I noticed this
> error message:
>
> 24.41.72.83 - - [31/Jull/2001:08:05:39 -0700] "GET
> /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping+-n+1+-l+64+-w+1+24.41.72.83
> HTTP/1.0" 404 -
>
> Has anybody ever seen anything like this???
Yep - I see an average of one a week in my web server logs.
It's an exploit for IIS (the "winnt" is a bit of a giveaway) - getting the web server to "walk up the directory tree" by using non-English equivalents to the "\" character, which are recognized by the file system, but NOT by the (pre-patch) web server.
In this case it looks like they're trying to get your server to ping someone else (probably as part of a DOS attack).
Calvin
--
Calvin Dodge
Certified Linux Bigot (tm)
http://www.caldodge.fpcc.net
More information about the LUG
mailing list