Log oddity.

From: Lars M. Hansen (badnews_at_hansenonline.net)
Date: 03/05/04 

Date: Fri, 05 Mar 2004 22:57:50 GMT

Here's an oddity from my web server logs:

24.147.200.151 "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir

(some info has been removed for clarity).

Now, that's just another attempt at exploiting an old directory
traversal bug in IIS, and there's really nothing odd about that.

The odd thing is that the IP address is my own. That is the IP address
of my firewall. The only way my firewalls' IP address would show up in
the log like that would be if I made the request from the LAN side using
that IP address (i.e. http://24.147.200.151). So, it may look like I
have a worm or something on my network?

Well, I did some packet captures as well, and there is no internal
traffic going to that IP address. When these requests are made, the only
traffic are between the firewall and the LAN IP of the web servers. If I
do request a page from the webserver using the WAN IP address, three IP
addresses shows up in the sniffed packets (the firewalls WAN IP address,
the webservers IP address and the clients IP address).

Since there's only two IP addresses involved, and the MAC addresses does
match, the only likely answer I have is that someone are scanning IP
addresses using the same IP address as source and destination. It really
doesn't make any sense, but I can't see any other solution.

Anyone care to offer some insight?

Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

Relevant Pages