RE: IIS Directory traversal vulnerability

From: Bryan Allerdice (bryan_allerdiceat_private)
Date: Wed Jul 25 2001 - 13:19:28 PDT

  • Next message: Jordan K Wiens: "Re: IIS Directory traversal vulnerability"

     
    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    It might help us if you were to include the portion of your IIS logs
    which contain dr.exe.
    
    Seeing how the commands are passed to dr.exe should give us a clue as
    to whether dr.exe is simply cmd.exe renamed, or whether it is some
    other customized command interpreter.
    
    (When including the log portion, you may want to replace the IP
    address of your server, and the IP of the attacker... other people do
    when they upload logs to these lists.)
    
    BRYAN
    
    - -----Original Message-----
    From: Lee Evans [mailto:leeat_private]
    Sent: Wednesday, July 25, 2001 5:35 AM
    To: incidentsat_private
    Subject: IIS Directory traversal vulnerability
    
    
    - -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Any advice would be much appreciated - a couple of our boxes seem to
    have 
    been exploited using a directory traversal vulnerabiltiy, by
    uploading a file 
    called "dr.exe", and then passing this commands to remove files from
    the box.
    
    I have recovered our logfiles and the data fortunately, and I am
    still 
    examining the log's.
    
    Is this dr.exe thing a known attack, (I can't seem to find anything
    about 
    it).?
    
    The attacked boxes did have all the latest patches applied to them,
    and I 
    double checked this during the code red crisis, and applied any that
    were 
    missing.
    
    Any information would be much appreciated.
    
    Regards
    Lee
    - - -- 
    Lee Evans
    Vital Online Ltd
    
    This  message is intended only for the use of the person(s) ("The
    intended recipient(s)")  to  whom it is addressed.  It may contain
    information which is privileged and confidential within  the  
    meaning  of  applicable law.  If you are not the intended  recipient,
    please  contact the sender as soon as possible.  The views expressed
    in this communication may not necessarily be the views held by Vital
    Online 
    Ltd.
    - -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE7XpKrhtUFQXeFbZYRAh0mAKCTpYRfp5m/MBHHc/tvYYdxMqf9qQCeNpru
    +QqVQuyw/IhvuMQfwnP7lhc=
    =Zel8
    - -----END PGP SIGNATURE-----
    
    
    - ----------------------------------------------------------------------
    - ------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    
    iQA/AwUBO18pz4QImHalSbbtEQKuLwCbBv9DlpPedtht2AtoSJJksEaZkcwAoMLs
    9F7COPAV+6zE2kgLuZA48lGt
    =V6Fh
    -----END PGP SIGNATURE-----
    
    
    _________________________________________________________
    Do You Yahoo!?
    Get your free @yahoo.com address at http://mail.yahoo.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 14:10:19 PDT