[lug] Interesting Access Message

Calvin Dodge caldodge at fpcc.net
Tue Jul 31 11:11:01 MDT 2001

On Tue, Jul 31, 2001 at 04:59:24PM +0000, Greg Horne wrote:
> I was going through my server logs (apache on linux) and I noticed this 
> error message:
> - - [31/Jull/2001:08:05:39 -0700] "GET 
> /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+ping+-n+1+-l+64+-w+1+ 
> HTTP/1.0" 404 -
> Has anybody ever seen anything like this???

Yep - I see an average of one a week in my web server logs.

It's an exploit for IIS (the "winnt" is a bit of a giveaway) - getting the web server to "walk up the directory tree" by using non-English equivalents to the "\" character, which are recognized by the file system, but NOT by the (pre-patch) web server.

In this case it looks like they're trying to get your server to ping someone else (probably as part of a DOS attack).


Calvin Dodge
Certified Linux Bigot (tm)

More information about the LUG mailing list