[Snort-users] web iis attack

Alwin Raymundo alrayworld at ...131...
Fri Oct 25 07:58:02 EDT 2002

Hi Guys,

Thanks to all who responded to my email (question).
AFAIK, my IIS server was patched with SP6a and
cummulative patch for the IIS.

I installed also on my linux box (apache+frontpage
extension) and I got the same attacked but the payload
say that "connection closed".  It is annoying because
in ISS payload in Acid it showed my External IP Add. 
and I dont know if this successful or not.

Thanks again for the insight of this matter.

I'm completely blind because It does not log it on my
IIS LOG.  Tell you frankly I'm not expert on IIS.

Any tips to improve my security on my win nt box will
be highly appreciated.

Your brother in Snort.

--- Security Admin <SecurityAdmin at ...7235...>
> Hi Alwin, this is a directory traversal attack (like
> code red). You can try
> it yourself by putting the line in the IIS logs into
> your browser and
> prepending your domain name. If you are on anything
> other than a windows
> platform (with iis/pws so server, pro etc) this
> attack will have no effect.
> If you are on a windows platform hopefully you have
> applied all the security
> patches and SP3.
> The %c1%1c will convert to some character....likely
> the \
> /samples/check.bat/../../../winnt/system32/cmd.exe?/
> I don't know what the c+dir? converts to but the
> attack is trying to run
> check.bat in your iissamples directory, and then
> execute cmd.exe (your
> command prompt).
> These attacks are very common, I've noticed more
> this past 2 weeks, can't
> remember exactly but something about the 19th of the
> month and code red or
> nimda....
> Hopefully you have completed basic IIS hardening on
> your box which protects
> you from most of this...
> Wayne
> -----Original Message-----
> From: Alwin Raymundo [mailto:alrayworld at ...131...] 
> Sent: Friday, October 25, 2002 5:55 AM
> To: user snort
> Subject: [Snort-users] web iis attack
> Hi Guys,
> I got a massive attack from one IP doing something
> on
> my one IIS server.  I already post it, some say that
> I
> should look at the iss log files if they succeded
> getting in or not.
> Almost a week I puzzled my self because the snort
> detect it and log the packets and everything while
> on
> ISS log there is nothing. Absolutely nothing.
> BTW, here are the sample logs in snort 
> dir+c:\
> HTTP/1.0..Host: xxx.xx.xx.91
> Is there any software or utilities that can do this?
> let me know because I want to try it myself.
> I need your help guys.
> Thanks in Advance
> Your brother in snort 
> =====
> Alwin Raymundo
> __________________________________________________
> Do you Yahoo!?
> New DSL Internet Access from SBC & Yahoo!
> http://sbc.yahoo.com
> This sf.net email is sponsored by: Influence the
> future 
> of Java(TM) technology. Join the Java Community 
> Process(SM) (JCP(SM)) program now. 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
> Snort-users list archive:

Alwin Raymundo

Do you Yahoo!?
New DSL Internet Access from SBC & Yahoo!

More information about the Snort-users mailing list