[Snort-users] WEB-IIS cmd.exe access

Brown, Bobby (US - Hermitage) bobbrown at ...5777...
Thu Oct 10 08:13:17 EDT 2002

This is a constant scanning attempt to see if the server can be exploitted.
If the directory listing comes back to the user, the server will accept
cmd.exe commands and exploit will continue.

it is looking for Nimda type exploited machines by looking for the IIS "c"
virtual root.


-----Original Message-----
From: Alwin Raymundo [mailto:alrayworld at ...131...]
Sent: Monday, October 07, 2002 8:57 AM
To: user snort
Subject: [Snort-users] WEB-IIS cmd.exe access

Hi Everybody,

This morning when I review some of the attacked on our
ISS server, I found this

HEAD /c/winnt/system32/cmd.exe?/c+dir+c:\ HTTP/1.0\r\n
Host: xxx.xxx.xx.297\

and so many more.

My question is does my ISS server has been exploited?
because most of the time.  I always see "Connection
Closed" so I dont bother but this time I'm little bit

I check also the log files on the ISS server but the
IP address of the attacker was not there.

All service pack has been installed on this machine I
I think).  I just want to be sure if my machine is not

anyone can shed light on this matter would be highly

Thanks in Advance.

Alwin Raymundo

Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
- This message (including any attachments) contains confidential information
intended for a specific individual and purpose, and is protected by law.  -
If you are not the intended recipient, you should delete this message and
are hereby notified that any disclosure, copying, or distribution of this
message, or the taking of any action based on it, is strictly prohibited.

More information about the Snort-users mailing list