Re: IIS Directory traversal vulnerability

From: Lee Evans (leeat_private)
Date: Thu Jul 26 2001 - 01:25:27 PDT

  • Next message: Soeren Ziehe: "code red - c:\notworm"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    Firstly, thank you all for your advice.
    
    I have spent the last day or so pulling my system and it's logs apart, but I
    am not particularly an expert in this field, this is what seems to be
    happening:
            1) the attacker accesses cmd.exe, and runs 'dir' on all the drives.
            2) the attacker copies cmd.exe to /scripts/winshell.exe (although he 
    never seems to access this winshell.exe
            3) the attacker uses cmd.exe to ftp hd.exe & dr.exe onto the box
            4) the attacker accesses hd.exe, which seems to take arguments of 
    files to be deleted.
            5) hd.exe deletes data from harddrive
            6) the lamer's AOL account disconnects, and we never here from him 
    again :)
    
    I will endeavour to post the IIS logs shortly.
    
    Many thanks for any further advice.
    
    Regards
    Lee
    - --
    Lee Evans
    Vital Online Ltd
    
    This  message is intended only for the use of the person(s) ("The
    intended recipient(s)")  to  whom it is addressed.  It may contain
    information which is privileged and confidential within  the
    meaning  of  applicable law.  If you are not the intended  recipient,
    please  contact the sender as soon as possible.  The views expressed
    in this communication may not necessarily be the views held by Vital Online
    Ltd.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org
    
    iD8DBQE7X9P6htUFQXeFbZYRAuY9AJ4izKvsh2XOJlRcFIpALjB1WmkQKwCeLTyN
    Fhs+W4tA0ahjMH7Iws4dEZw=
    =frq9
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 09:13:36 PDT