[Dshield] Check this out.

John Hardin johnh at aproposretail.com
Tue Aug 21 15:49:17 GMT 2001

"Ron E. Johnson" wrote:
> I seen a couple of these in my server logs.  Looks like someone trying
> to come in through the backdoor CR was supposed to leave open.
> -----Original Message-----
> From: Paul Marsh [mailto:pmarsh at nmefdn.org]
> Sent: Monday, August 20, 2001 7:30 AM
> 2001-08-19 17:41:48 - GET /winnt/system32/cmd.exe /c+dir
> 401 80

No, this is not Code Red related - not all IIS exploits are, y'know. :)

This is an attempt to see if your system is misconfigured such that the
attacker can access files outside of the /inetpub hierarchy,
specifically the command shell program in c:/winnt/system32. There's a
patch that plugs this hole - I don't remember which off the top of my

Just in case further such holes arise, we've taken to recommending the
following to our clients:

Deny all access to /winnt/system32 from the IUSR_machinename (IIS
anonymous access) user. 

     cd \winnt\system32
     cacls . /e /d IUSR_sysname
     cacls *.exe /e /d IUSR_sysname
     cacls *.com /e /d IUSR_sysname

Of course, this does NOT protect you against the CR backdoor; that runs
at system privileges, not anonymous-user privileges.

John Hardin                                   <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192

More information about the list mailing list