[Dshield] Check this out.
johnh at aproposretail.com
Tue Aug 21 15:49:17 GMT 2001
"Ron E. Johnson" wrote:
> I seen a couple of these in my server logs. Looks like someone trying
> to come in through the backdoor CR was supposed to leave open.
> -----Original Message-----
> From: Paul Marsh [mailto:pmarsh at nmefdn.org]
> Sent: Monday, August 20, 2001 7:30 AM
> 2001-08-19 17:41:48 126.96.36.199 - GET /winnt/system32/cmd.exe /c+dir
> 401 80
No, this is not Code Red related - not all IIS exploits are, y'know. :)
This is an attempt to see if your system is misconfigured such that the
attacker can access files outside of the /inetpub hierarchy,
specifically the command shell program in c:/winnt/system32. There's a
patch that plugs this hole - I don't remember which off the top of my
Just in case further such holes arise, we've taken to recommending the
following to our clients:
Deny all access to /winnt/system32 from the IUSR_machinename (IIS
anonymous access) user.
cacls . /e /d IUSR_sysname
cacls *.exe /e /d IUSR_sysname
cacls *.com /e /d IUSR_sysname
Of course, this does NOT protect you against the CR backdoor; that runs
at system privileges, not anonymous-user privileges.
John Hardin <johnh at aproposretail.com>
Internal Systems Administrator voice: (425) 672-1304
Apropos Retail Management Systems, Inc. fax: (425) 672-0192
More information about the list