Security Incidents mailing list archives
Re: IIS Directory traversal vulnerability
From: Jon Zobrist <kgb () ussr com>
Date: Wed, 25 Jul 2001 15:21:28 -0600
Very likely, they copied winnt\system32\cmd.exe to \scripts\dr.exe. If you check file sizes and dates modified, they should be identical. The reason why is because they cannot run cmd.exe from the system32 directory, they have to run it from the scripts folder (I think. Can anyone else confirm this?).
No, there is no problem running cmd.exe from it's place in system32 (that's how they get cmd.exe copied to /scripts/), but each time requires executing whatever exploit they've used. To make it easier you copy cmd.exe to the scripts dir so you can execute it directly. This also cuts down on IDS hits and system logs that look very suspicious. -Jon ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- IIS Directory traversal vulnerability Lee Evans (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)
- Re: IIS Directory traversal vulnerability Jordan K Wiens (Jul 25)
- Re: IIS Directory traversal vulnerability Jon Zobrist (Jul 25)
- RE: IIS Directory traversal vulnerability Bryan Allerdice (Jul 25)
- Re: IIS Directory traversal vulnerability Lee Evans (Jul 26)
- <Possible follow-ups>
- Re: IIS Directory traversal vulnerability Reverend Lola (Jul 25)
- Re: IIS Directory traversal vulnerability Joe Smith (Jul 25)