Re: A small quandary

• Previous message: listuser: "Spam via proxy"
• In reply to: Mahoney, Paul: "A small quandary"
• Next in thread: Julian Young: "Odd entries in my Security Router logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 7 Dec 2002 19:27:40 +0100
From: gminick <gminick@underground.org.pl>
To: incidents@securityfocus.com

On Wed, Dec 04, 2002 at 08:30:08PM -0800, Mahoney, Paul wrote:
[...]
> /scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c: 1 -
> /cgi-bin/mrtg.cgi?cfg=/../../../../../../../../../winnt/win.ini 1 -
> /scripts/.%252e/.%252e/winnt/system32/cmd.exe?/c+dir+c:\\
> My question to everyone out there is would anyone be able to tell me if
> this kind of attack has the fingerprints of any known software/viruses
> in the field or is it a deliberate attempt to gain access to my clients
> site?
What you're seeing is a work of some vulnerability scanner,
and it looks like it checks for dozens of possible vulnerabilities
like directory traversals (i.e: <http://www.kb.cert.org/vuls/id/111677>,
<http://online.securityfocus.com/bid/1806/exploit/>) and vulnerabilities
in CGI scripts. Such scanners are doing things as they were blind.
It isn't important what kind of software you're using, that tool
probes you as long as one of its methods works against your server.
If your server answered with http code 404 it means that there's no
such script of file on your server. What's also important there exists
attack against windoze boxes and against unix/linux ones.
If you're running apache on linux all those "/scripts/.%252e/.%252e
/winnt/system32/cmd.exe?/c+dir+c:\\" can't hurt you.
If you're interested in exploring those malicious toys take a look at
<http://www.ussrback.com/files.html>,
<http://packetstormsecurity.nl/UNIX/cgi-scanners/> and
<http://www.zone-h.org/en/download/category=3/>.

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

• Next message: Logan F.D. Greenlee: "EBay Fraud Attempt"
• Previous message: listuser: "Spam via proxy"
• In reply to: Mahoney, Paul: "A small quandary"
• Next in thread: Julian Young: "Odd entries in my Security Router logs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] WebBBS Pro Multiple Denial of Service Vulnerabilities (AUX, *, LPT) ... Latest attack techniques. ... package providing an easy to use and secure Web Server". ... SecurITeam Experts (the CON and AUX vulnerabilities). ... (Securiteam) Re: Bastard spammers ... >It would be a bit pointless to set up a DNS server, a mail server, a ... >believed it less vulnerable to attack. ... >opens and web pages accessed etc.), ... >etc.) by exploiting vulnerabilities in the running service. ... (uk.legal) Re: Views and Correlation in Intrusion Detection ... a db with the info on each server - OS, applications, ... vulnerabilities, etc. ... a detection engine that matches the IP and attack sig to the entry in ... hitting my network *unless* I have a box that's susceptible to Code Red. ... (Focus-IDS) [CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis ... DCE RPC Vulnerabilities New Attack Vectors Analysis ... They might also apply to other vulnerabilities such as the DCE RPC DCOM ... (Bugtraq) [CORE-2003-12-05] DCE RPC Vulnerabilities New Attack Vectors Analysis ... DCE RPC Vulnerabilities New Attack Vectors Analysis ... They might also apply to other vulnerabilities such as the DCE RPC DCOM ... (Pen-Test)