[unisog] increasing cmd.exe port 80/tcp probes

Russell Fulton r.fulton at auckland.ac.nz
Mon Jun 3 21:51:33 GMT 2002

On Mon, 2002-06-03 at 05:04, Jeff Anderson-Lee wrote:
> Starting on Jan 5, 2002 I've been noticing some particular probes
> appearing regularly in my apache logs.  There are two patterns of
> note.  The first is a single probe:
>     "GET /scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir"

We have seen these too.  I've also seen high speed serail SYN scans of
port 80 that are not accompanied by obvious probes. One of the machine
that we reported this activity on was examined but the people on site
could not find any obvious signs of compormise.  Unfortunately this
machine belonged to a small remote campus of a large university and
there was no one on site with forensic expertise and central IT support
was 300 miles away.  So they are just rebuilding the machine and making
sure the patches are applied.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list