Re: IIS Directory traversal vulnerability
From: Joe Smith (shadowm4n@yahoo.com)Date: 07/25/01
- Previous message: Kelvin: "Network attack from S1 Corporation"
- In reply to: Lee Evans: "IIS Directory traversal vulnerability"
- Next in thread: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
- Next in thread: Bryan Allerdice: "RE: IIS Directory traversal vulnerability"
- Reply: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
- Reply: Jon Zobrist: "Re: IIS Directory traversal vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <20010725171201.56051.qmail@web20107.mail.yahoo.com> Date: Wed, 25 Jul 2001 10:12:01 -0700 (PDT) From: Joe Smith <shadowm4n@yahoo.com> Subject: Re: IIS Directory traversal vulnerability To: Lee Evans <lee@vital.co.uk>, incidents@securityfocus.com
Lee,
Very likely, they copied winnt\system32\cmd.exe to
\scripts\dr.exe. If you check file sizes and dates
modified, they should be identical. The reason why is
because they cannot run cmd.exe from the system32
directory, they have to run it from the scripts folder
(I think. Can anyone else confirm this?).
If dr.exe is vastly different than cmd.exe, then I've
got no clue.
-smith
--- Lee Evans <lee@vital.co.uk> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Any advice would be much appreciated - a couple of
> our boxes seem to have
> been exploited using a directory traversal
> vulnerabiltiy, by uploading a file
> called "dr.exe", and then passing this commands to
> remove files from the box.
>
> I have recovered our logfiles and the data
> fortunately, and I am still
> examining the log's.
>
> Is this dr.exe thing a known attack, (I can't seem
> to find anything about
> it).?
>
> The attacked boxes did have all the latest patches
> applied to them, and I
> double checked this during the code red crisis, and
> applied any that were
> missing.
>
> Any information would be much appreciated.
>
> Regards
> Lee
> - --
> Lee Evans
> Vital Online Ltd
>
> This message is intended only for the use of the
> person(s) ("The
> intended recipient(s)") to whom it is addressed.
> It may contain
> information which is privileged and confidential
> within the
> meaning of applicable law. If you are not the
> intended recipient,
> please contact the sender as soon as possible. The
> views expressed
> in this communication may not necessarily be the
> views held by Vital Online
> Ltd.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
>
iD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru
> +QqVQuyw/IhvuMQfwnP7lhc=
> =Zel8
> -----END PGP SIGNATURE-----
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: Kelvin: "Network attack from S1 Corporation"
- In reply to: Lee Evans: "IIS Directory traversal vulnerability"
- Next in thread: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
- Next in thread: Bryan Allerdice: "RE: IIS Directory traversal vulnerability"
- Reply: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"
- Reply: Jon Zobrist: "Re: IIS Directory traversal vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
