Re: Curious Code Red Behavior with Star Office HTTPd

From: Ray Simard (ray.simard@sylvan-glade.com)
Date: Mon Aug 06 2001 - 17:19:31 PDT

  • Next message: Jonah Horowitz: "Re: Wireless Lans give EVERYONE ACCESS"

    On Mon, 6 Aug 2001 17:06:19 -0400, "Tim"
    <webmaster@crazy-horse.net> wrote:
    
    >While going through my logs I happened to notice an AOL address and decided
    >...
    >Nothing unusual there....
    >Check out the 404 while i was testing for the Trojan aspect of the newer
    >variant:
    >----------
    >HTTP Error 404
    >404 Not found ("/c/winnt/system32/cmd.exe?/c+dir")
    
    I'm 95% sure it has nothing to do with Star Office. It appears
    to be an ordinary HTTP request looking for a MS IIS server
    that is set up with a virtual directory rooted at the root of
    the C: drive and named c It then tries to execute a dir
    command to list out the contents of System32.
    
    I just tried it with the Peer Web server on my NT workstation.
    I created a virtual directory with the same name as the drive
    letter of my system partition (which isn't C:, though that's
    just circumstance). I then fired up IE and asked for:
    
    thishostname.mydomain.com/e/winnt/system32/cmd.exe?/c+dir
    
    (with the real names) and got a very pretty listing of the
    contents of my System32 directory.
    
    The Star Office HTTP server reported it simply because that
    was apparently the one that was listening on port 80 at the
    time.
    
    Needless to say, that virtual directory isn't there any more!
    (Though I firwall off all SYN packets sent to it anyway.)
    
    HTH,
    
    Ray Simard
    ray.simard@sylvan-glade.com
    



    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 19:32:09 PDT