It seems to be a web directory traversal exploit. A web server should not allow remote initiated access to files outside of the web server specified directories. Unfortunately NT 4 and 2000 unpatched do allow this technique, which can be performed with a simple browser. The intruder is attempting to execute an NT command (get a directory listing). I am used to seeing 404 as the result when your server is patched. I am not sure why it is giving a 500 response (internal server error).
Anyway, you may be able to use the IP Audit features of the Pix to catch this signature. Joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Fei Yang Sent: Monday, April 08, 2002 11:56 AM To: [EMAIL PROTECTED] Subject: Attack through Port 80 Last week I checked our IIS web server's log file and found the following attack logs. I am using a Cisco PIX and opened port 80 for our web server. Could anyone tell me what kind of attack these are and how to block them out of my network by PIX? #Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem cs-uri-query sc-status cs(User-Agent) 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%5c../winnt/system32/cmd.exe /c+dir 500 - 2002-03-29 01:39:24 24.157.182.174 - 24.157.93.95 80 GET /scripts/..%2f../winnt/system32/cmd.exe /c+dir 500 - Thansk, Fei. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
