[Snort-users] WEB-IIS cmd.exe access

Alwin Raymundo alrayworld at ...131...
Mon Oct 7 06:58:38 EDT 2002


Hi Everybody,

This morning when I review some of the attacked on our
ISS server, I found this

HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n
Host: xxx.xxx.xx.297\

and so many more.

My question is does my ISS server has been exploited?
because most of the time.  I always see "Connection
Closed" so I dont bother but this time I'm little bit
worried.

I check also the log files on the ISS server but the
IP address of the attacker was not there.

All service pack has been installed on this machine I
I think).  I just want to be sure if my machine is not
exploited.

anyone can shed light on this matter would be highly
aprecciated.

Thanks in Advance.



=====
Alwin Raymundo

__________________________________________________
Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!
http://sbc.yahoo.com




More information about the Snort-users mailing list