it's an iis remote command execution exploit. it worked pretty well, the
patch has been out for months, though.
dave
On Tue, 18 Sep 2001, Freddie Mendoza wrote:
> Anyone seen these in their logs lately
>
> 216.129.13.39 - - [18/Sep/2001:08:20:19 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 212 "" ""
> 216.129.13.39 - - [18/Sep/2001:08:20:20 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 212 "" ""
> 216.95.249.5 - - [18/Sep/2001:08:24:22 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 212 "" ""
> 216.95.249.5 - - [18/Sep/2001:08:24:23 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir
>HTTP/1.0" 404 212 "" ""
>
>
> I've seen these every once in a while but today
> it comes from alot of different IP addresses and it seem
> to mimic the default.ida attacks such that you
> see it from all random ip addresses and its every
> few seconds.
>
> I wonder if this is another virus which now executes this
> command from servers affected.
>
> Or could it be someone is IP spoofing and fooling
> aolserver to log a different Ip address in the logs?
>
>
> --
> Freddie Mendoza
> [EMAIL PROTECTED]
> Search Engine for Cheap Books
> http://satori.com/cheapbooks
>
--
Dave Weis "I believe there are more instances of the abridgement
[EMAIL PROTECTED] of the freedom of the people by gradual and silent
encroachments of those in power than by violent
and sudden usurpations."- James Madison
