[Dshield] New IIS directory traversal worm, or just a tool sig?

BarkerJr BarkerJr at ClanCdG.com
Thu Nov 7 21:04:10 GMT 2002


Gets actually specifying a server hostname are proxy checks, I 
believe.  My guess is that someone is trying to make web server/proxies 
hack into a government web server.

> One identical to this at the end of September, 2 in late October, 4
> since November 1.  No two from the same source.  Looks like Nimda to 
me,
> but you're right, it looks like a different twist.
> 
> 
> -----Original Message-----
> From: James C Slora Jr [mailto:Jim.Slora at phra.com]
> Sent: Monday, November 04, 2002 12:50 PM
> To: list at dshield.org
> Subject: [Dshield] New IIS directory traversal worm, or just a tool 
sig?
> 
> 
> Since Friday, I have seen this from nine different addresses. IIS
> directory
> traversal attack is on the local system - not an HTTP CONNECT. The
> hostname
> is being specified as "ww.tk.gov" (not a real public host), but this 
is
> just
> window dressing on the attack.
> 
> http://ww.tk.gov/scripts/..%255c..%
255cwinnt/system32/cmd.exe?/c+copy+c:
> \win
> nt\system32\cmd.exe+c:\inetpub\scripts\script.exe
> 
> Anyone else seen this?




More information about the list mailing list