In the past, I have applied the patches to my NT4 IIS 4.0 system to address the Web folder traversal/unicode problems (also CodeRed). If I look at my IIS logs, I see plenty of attempts to get to WinNTsystem32cmd.exe but all get turned down.
Last week, one of these attacks was sucessful. Looking in the log, it says that the request was (from memory) for:
(I'm not sure if I have exactly the right number of /.. in there).
My system has InetPub on the D drive, and WinNT on the C drive, so I don't see how any number of /.. on the request could possible result in a sucessful GET.
Can you explain this behaviour, and suggest any remedy.
I'm curious to see the exact URL. If the actual request was being passed to an executable or a script, the server may have returned a success (HTTP 200) message, regardless of whether the attacker actually succeeded in executing CMD.EXE. For example, this request could return a success message because someprogram.exe was successfully passed the following parameters:
However, no harm could be done unless someprogram.exe knew how to process the portion of the request after the command name--which may be the case, if the attacker was attempting to exploit a known vulnerability.
Dig Deeper on Windows client management
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.