> I've included a link to a tcpdump taken that shows a standard IIS > directory-traversal attack. I was looking over the packets and noticed a > reference to www.google.com. Could someone take a look, and let me know > what this is being used for? > > http://12.208.102.165/attack3.dump > atack3.dump=1.6kb Okay. I'm going to make a guess here. The GET string, excerpted below, indicates that it is using HTTP/1.1: GET /scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\script.exe HTTP/1.1 (Pretty nice URL by the way.) In order to make a valid HTTP/1.1 request, you have to specify a host name (I think the proper terminology is 'host header') for the request. I'm guessing that whoever devised this tool decided to just throw in 'www.google.com' as a host header. Under IIS, if you specify a host name that is not configured, it falls back on the first virtual host that is configured for the IP. So by specifying 'www.google.com', they pretty much guarantee that they will fall to the first host -- and on a default IIS install, this will be the default web site which lives under c:\inetpub\wwwroot So this is my armchair one minute guess-analysis. Hope it helps somewhat. Sincerely, Christopher Ess System Administrator / CDTT (Certified Duct Tape Technology) ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Jul 15 2003 - 11:06:24 PDT